diff options
| -rw-r--r-- | README.md | 16 | ||||
| -rw-r--r-- | etc/atril.profile | 1 | ||||
| -rw-r--r-- | etc/audacious.profile | 1 | ||||
| -rw-r--r-- | etc/audacity.profile | 1 | ||||
| -rw-r--r-- | etc/eog.profile | 1 | ||||
| -rw-r--r-- | etc/eom.profile | 1 | ||||
| -rw-r--r-- | etc/galculator.profile | 1 | ||||
| -rw-r--r-- | etc/gimp.profile | 1 | ||||
| -rw-r--r-- | etc/gnome-calculator.profile | 1 | ||||
| -rw-r--r-- | etc/handbrake.profile | 1 | ||||
| -rw-r--r-- | etc/inkscape.profile | 1 | ||||
| -rw-r--r-- | etc/kdenlive.profile | 1 | ||||
| -rw-r--r-- | etc/krita.profile | 1 | ||||
| -rw-r--r-- | etc/openshot.profile | 1 | ||||
| -rw-r--r-- | etc/qbittorrent.profile | 1 | ||||
| -rw-r--r-- | etc/rhythmbox.profile | 1 | ||||
| -rw-r--r-- | etc/totem.profile | 1 |
17 files changed, 25 insertions, 7 deletions
| @@ -207,13 +207,15 @@ AppArmor features are supported on overlayfs and chroot sandboxes. | |||
| 207 | 207 | ||
| 208 | We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys | 208 | We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys |
| 209 | and /run/user directories were moved out of the profile into firejail executable. | 209 | and /run/user directories were moved out of the profile into firejail executable. |
| 210 | 210 | We are also adding a "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to | |
| 211 | We intend to start apparmor by default for browsers, torrent clients and media players. | 211 | enable/disable apparmor functionality globally. By default the flag is enabled. |
| 212 | So far we cover Firefox (firefox-common.profile), Chromium (chromium-common.profile), | 212 | |
| 213 | transmission-qt, transmission-gtk, vlc and mpv. | 213 | AppArmor deployment: we are starting apparmor by default for the following programs: |
| 214 | 214 | - web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile) | |
| 215 | "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to enable/disable apparmor functionality globally | 215 | - torrent clients: transmission-qt, transmission-gtk, qbittorrent |
| 216 | By default the flag is enabled. | 216 | - media players: vlc, mpv, audacious, totem, rhythmbox |
| 217 | - media editing: kdenlive, audacity, handbrake, gimp, inkscape, krita, openshot | ||
| 218 | - etc.: atril, gnome-calculator, galculator, eom, eog | ||
| 217 | 219 | ||
| 218 | Checking apparmor status: | 220 | Checking apparmor status: |
| 219 | ````` | 221 | ````` |
diff --git a/etc/atril.profile b/etc/atril.profile index 215f0ab96..5d8cc54bd 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
| @@ -31,6 +31,7 @@ protocol unix | |||
| 31 | seccomp | 31 | seccomp |
| 32 | shell none | 32 | shell none |
| 33 | tracelog | 33 | tracelog |
| 34 | apparmor | ||
| 34 | 35 | ||
| 35 | private-bin atril, atril-previewer, atril-thumbnailer | 36 | private-bin atril, atril-previewer, atril-thumbnailer |
| 36 | private-dev | 37 | private-dev |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 9a11022e3..818d4455b 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
| @@ -26,6 +26,7 @@ protocol unix,inet,inet6 | |||
| 26 | seccomp | 26 | seccomp |
| 27 | shell none | 27 | shell none |
| 28 | tracelog | 28 | tracelog |
| 29 | apparmor | ||
| 29 | 30 | ||
| 30 | # private-bin audacious | 31 | # private-bin audacious |
| 31 | private-dev | 32 | private-dev |
diff --git a/etc/audacity.profile b/etc/audacity.profile index ea1d38132..3575e297a 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
| @@ -29,6 +29,7 @@ protocol unix | |||
| 29 | seccomp | 29 | seccomp |
| 30 | shell none | 30 | shell none |
| 31 | tracelog | 31 | tracelog |
| 32 | apparmor | ||
| 32 | 33 | ||
| 33 | private-bin audacity | 34 | private-bin audacity |
| 34 | private-dev | 35 | private-dev |
diff --git a/etc/eog.profile b/etc/eog.profile index 6d61dceac..e5302a84f 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
| @@ -32,6 +32,7 @@ novideo | |||
| 32 | protocol unix | 32 | protocol unix |
| 33 | seccomp | 33 | seccomp |
| 34 | shell none | 34 | shell none |
| 35 | apparmor | ||
| 35 | 36 | ||
| 36 | private-bin eog | 37 | private-bin eog |
| 37 | private-dev | 38 | private-dev |
diff --git a/etc/eom.profile b/etc/eom.profile index c7af470c6..e5024a2bf 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
| @@ -33,6 +33,7 @@ protocol unix | |||
| 33 | seccomp | 33 | seccomp |
| 34 | shell none | 34 | shell none |
| 35 | tracelog | 35 | tracelog |
| 36 | apparmor | ||
| 36 | 37 | ||
| 37 | private-bin eom | 38 | private-bin eom |
| 38 | private-dev | 39 | private-dev |
diff --git a/etc/galculator.profile b/etc/galculator.profile index 0923d7e55..c851e7038 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
| @@ -32,6 +32,7 @@ protocol unix | |||
| 32 | seccomp | 32 | seccomp |
| 33 | shell none | 33 | shell none |
| 34 | tracelog | 34 | tracelog |
| 35 | apparmor | ||
| 35 | 36 | ||
| 36 | private-bin galculator | 37 | private-bin galculator |
| 37 | private-dev | 38 | private-dev |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 2a0698cc3..1f15677a1 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
| @@ -26,6 +26,7 @@ notv | |||
| 26 | protocol unix | 26 | protocol unix |
| 27 | seccomp | 27 | seccomp |
| 28 | shell none | 28 | shell none |
| 29 | apparmor | ||
| 29 | 30 | ||
| 30 | private-dev | 31 | private-dev |
| 31 | private-tmp | 32 | private-tmp |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 03e68a5cc..b6fcb0668 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
| @@ -27,6 +27,7 @@ novideo | |||
| 27 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
| 28 | seccomp | 28 | seccomp |
| 29 | shell none | 29 | shell none |
| 30 | apparmor | ||
| 30 | 31 | ||
| 31 | disable-mnt | 32 | disable-mnt |
| 32 | private-bin gnome-calculator | 33 | private-bin gnome-calculator |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index f8554d50c..dd814222b 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
| @@ -23,6 +23,7 @@ novideo | |||
| 23 | protocol unix,inet,inet6,netlink | 23 | protocol unix,inet,inet6,netlink |
| 24 | seccomp | 24 | seccomp |
| 25 | shell none | 25 | shell none |
| 26 | apparmor | ||
| 26 | 27 | ||
| 27 | private-dev | 28 | private-dev |
| 28 | private-tmp | 29 | private-tmp |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index d2929412b..924691743 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
| @@ -28,6 +28,7 @@ novideo | |||
| 28 | protocol unix | 28 | protocol unix |
| 29 | seccomp | 29 | seccomp |
| 30 | shell none | 30 | shell none |
| 31 | apparmor | ||
| 31 | 32 | ||
| 32 | # private-bin inkscape,potrace - problems on Debian stretch | 33 | # private-bin inkscape,potrace - problems on Debian stretch |
| 33 | private-dev | 34 | private-dev |
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b6d48356d..a52cd832f 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
| @@ -25,6 +25,7 @@ notv | |||
| 25 | protocol unix,netlink | 25 | protocol unix,netlink |
| 26 | seccomp | 26 | seccomp |
| 27 | shell none | 27 | shell none |
| 28 | apparmor | ||
| 28 | 29 | ||
| 29 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 30 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper |
| 30 | private-dev | 31 | private-dev |
diff --git a/etc/krita.profile b/etc/krita.profile index c621e2c72..9fddf2214 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
| @@ -27,6 +27,7 @@ novideo | |||
| 27 | protocol unix | 27 | protocol unix |
| 28 | seccomp | 28 | seccomp |
| 29 | shell none | 29 | shell none |
| 30 | apparmor | ||
| 30 | 31 | ||
| 31 | private-dev | 32 | private-dev |
| 32 | private-tmp | 33 | private-tmp |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 1463303b0..5d81df193 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
| @@ -25,6 +25,7 @@ notv | |||
| 25 | protocol unix,inet,inet6,netlink | 25 | protocol unix,inet,inet6,netlink |
| 26 | seccomp | 26 | seccomp |
| 27 | shell none | 27 | shell none |
| 28 | apparmor | ||
| 28 | 29 | ||
| 29 | private-dev | 30 | private-dev |
| 30 | private-tmp | 31 | private-tmp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index da870ab76..60bcc73d2 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
| @@ -39,6 +39,7 @@ novideo | |||
| 39 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
| 40 | seccomp | 40 | seccomp |
| 41 | shell none | 41 | shell none |
| 42 | apparmor | ||
| 42 | 43 | ||
| 43 | private-bin qbittorrent,python* | 44 | private-bin qbittorrent,python* |
| 44 | private-dev | 45 | private-dev |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9401f6681..b6f16cecf 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
| @@ -25,6 +25,7 @@ protocol unix,inet,inet6 | |||
| 25 | seccomp | 25 | seccomp |
| 26 | shell none | 26 | shell none |
| 27 | tracelog | 27 | tracelog |
| 28 | apparmor | ||
| 28 | 29 | ||
| 29 | private-bin rhythmbox | 30 | private-bin rhythmbox |
| 30 | private-dev | 31 | private-dev |
diff --git a/etc/totem.profile b/etc/totem.profile index be0617024..2b591cc69 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
| @@ -23,6 +23,7 @@ noroot | |||
| 23 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
| 24 | seccomp | 24 | seccomp |
| 25 | shell none | 25 | shell none |
| 26 | apparmor | ||
| 26 | 27 | ||
| 27 | private-bin totem | 28 | private-bin totem |
| 28 | private-dev | 29 | private-dev |