diff options
-rw-r--r-- | etc/firejail-default | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 2f959d92a..f9a876f5c 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -21,6 +21,12 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
21 | #dbus, | 21 | #dbus, |
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # Allows to attach to a running program and modify the process memory. | ||
25 | # May be needed by chromium crash handler. Uncomment if you need it. | ||
26 | ########## | ||
27 | #ptrace (trace tracedby), | ||
28 | |||
29 | ########## | ||
24 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes | 30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes |
25 | ########## | 31 | ########## |
26 | / r, | 32 | / r, |
@@ -53,6 +59,10 @@ owner /{run,dev}/shm/** rmwk, | |||
53 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | 59 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, |
54 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | 60 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, |
55 | 61 | ||
62 | # Allow logging Firejail blacklist violations to journal | ||
63 | /{,var/}run/systemd/journal/socket w, | ||
64 | /{,var/}run/systemd/journal/dev-log w, | ||
65 | |||
56 | # Needed for wine | 66 | # Needed for wine |
57 | /{,var/}run/firejail/profile/@{PID} w, | 67 | /{,var/}run/firejail/profile/@{PID} w, |
58 | 68 | ||
@@ -72,10 +82,6 @@ deny /proc/@{PID}/oom_score_adj w, | |||
72 | # Uncomment to silence all denied write warnings | 82 | # Uncomment to silence all denied write warnings |
73 | #deny /sys/** w, | 83 | #deny /sys/** w, |
74 | 84 | ||
75 | # Allows to attach to a running program and modify the process memory. | ||
76 | # May be needed by chromium crash handler. Uncomment if you need it. | ||
77 | #ptrace (trace tracedby), | ||
78 | |||
79 | ########## | 85 | ########## |
80 | # Allow running programs only from well-known system directories. If you need | 86 | # Allow running programs only from well-known system directories. If you need |
81 | # to run programs from your home directory, uncomment /home line. | 87 | # to run programs from your home directory, uncomment /home line. |
@@ -107,7 +113,7 @@ deny /proc/@{PID}/oom_score_adj w, | |||
107 | /run/firejail/mnt/oroot/opt/** ix, | 113 | /run/firejail/mnt/oroot/opt/** ix, |
108 | 114 | ||
109 | ########## | 115 | ########## |
110 | # Allow acces to cups printing socket | 116 | # Allow acces to cups printing socket. |
111 | ########## | 117 | ########## |
112 | /run/cups/cups.sock w, | 118 | /run/cups/cups.sock w, |
113 | 119 | ||