diff options
-rw-r--r-- | etc/firejail-default | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 842d5a0c4..5ebdccc00 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -61,6 +61,9 @@ owner /{run,dev}/shm/** rmwk, | |||
61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, |
62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, |
63 | 63 | ||
64 | # Needed for wine | ||
65 | /{,var/}run/firejail/profile/@{PID} w, | ||
66 | |||
64 | ########## | 67 | ########## |
65 | # Mask /proc and /sys information leakage. The configuration here is barely | 68 | # Mask /proc and /sys information leakage. The configuration here is barely |
66 | # enough to run "top" or "ps aux". | 69 | # enough to run "top" or "ps aux". |
@@ -74,6 +77,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
74 | /proc/stat r, | 77 | /proc/stat r, |
75 | /proc/sys/kernel/pid_max r, | 78 | /proc/sys/kernel/pid_max r, |
76 | /proc/sys/kernel/shmmax r, | 79 | /proc/sys/kernel/shmmax r, |
80 | /proc/sys/kernel/yama/ptrace_scope r, | ||
77 | /proc/sys/vm/overcommit_memory r, | 81 | /proc/sys/vm/overcommit_memory r, |
78 | /proc/sys/vm/overcommit_ratio r, | 82 | /proc/sys/vm/overcommit_ratio r, |
79 | /proc/sys/kernel/random/uuid r, | 83 | /proc/sys/kernel/random/uuid r, |
@@ -95,15 +99,22 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
95 | /proc/@{PID}/statm r, | 99 | /proc/@{PID}/statm r, |
96 | /proc/@{PID}/status r, | 100 | /proc/@{PID}/status r, |
97 | /proc/@{PID}/task/@{PID}/stat r, | 101 | /proc/@{PID}/task/@{PID}/stat r, |
102 | /proc/@{PID}/task/@{PID}/status r, | ||
98 | /proc/@{PID}/maps r, | 103 | /proc/@{PID}/maps r, |
104 | /proc/@{PID}/mem r, | ||
99 | /proc/@{PID}/mounts r, | 105 | /proc/@{PID}/mounts r, |
100 | /proc/@{PID}/mountinfo r, | 106 | /proc/@{PID}/mountinfo r, |
107 | owner /proc/@{PID}/oom_adj w, | ||
101 | /proc/@{PID}/oom_score_adj r, | 108 | /proc/@{PID}/oom_score_adj r, |
109 | owner /proc/@{PID}/oom_score_adj w, | ||
102 | /proc/@{PID}/auxv r, | 110 | /proc/@{PID}/auxv r, |
103 | /proc/@{PID}/net/dev r, | 111 | /proc/@{PID}/net/dev r, |
104 | /proc/@{PID}/loginuid r, | 112 | /proc/@{PID}/loginuid r, |
105 | /proc/@{PID}/environ r, | 113 | /proc/@{PID}/environ r, |
106 | 114 | ||
115 | # Needed for chromium | ||
116 | ptrace (trace tracedby), | ||
117 | |||
107 | ########## | 118 | ########## |
108 | # Allow running programs only from well-known system directories. If you need | 119 | # Allow running programs only from well-known system directories. If you need |
109 | # to run programs from your home directory, uncomment /home line. | 120 | # to run programs from your home directory, uncomment /home line. |
@@ -135,6 +146,11 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
135 | /run/firejail/mnt/oroot/opt/** ix, | 146 | /run/firejail/mnt/oroot/opt/** ix, |
136 | 147 | ||
137 | ########## | 148 | ########## |
149 | # Allow acces to cups printing socket | ||
150 | ########## | ||
151 | /run/cups/cups.sock w, | ||
152 | |||
153 | ########## | ||
138 | # Allow all networking functionality, and control it from Firejail. | 154 | # Allow all networking functionality, and control it from Firejail. |
139 | ########## | 155 | ########## |
140 | network inet, | 156 | network inet, |