diff options
-rw-r--r-- | Makefile.in | 6 | ||||
-rw-r--r-- | etc/apparmor/firejail-base | 26 |
2 files changed, 31 insertions, 1 deletions
diff --git a/Makefile.in b/Makefile.in index c94d8c7a4..11193122d 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -144,9 +144,13 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) | |||
144 | # install apparmor profile | 144 | # install apparmor profile |
145 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" | 145 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" |
146 | install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d | 146 | install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d |
147 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" | ||
148 | # install apparmor profile customization file | 147 | # install apparmor profile customization file |
148 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" | ||
149 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" | 149 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;" |
150 | # install apparmor base abstraction drop-in | ||
151 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;" | ||
152 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;" | ||
153 | install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d | ||
150 | endif | 154 | endif |
151 | ifneq ($(HAVE_MAN),no) | 155 | ifneq ($(HAVE_MAN),no) |
152 | # man pages | 156 | # man pages |
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base new file mode 100644 index 000000000..41e4ac2bf --- /dev/null +++ b/etc/apparmor/firejail-base | |||
@@ -0,0 +1,26 @@ | |||
1 | ######################################### | ||
2 | # Firejail base abstraction drop-in | ||
3 | ######################################### | ||
4 | |||
5 | # Adds basic Firejail support to AppArmor profiles. | ||
6 | # Please note: Firejail's nonewprivs and seccomp options | ||
7 | # are not compatible with AppArmor profile transitions. | ||
8 | |||
9 | # Discovery of process names | ||
10 | owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r, | ||
11 | |||
12 | ########## | ||
13 | # Following paths only exist inside a Firejail sandbox | ||
14 | ########## | ||
15 | |||
16 | # Library preloading | ||
17 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr, | ||
18 | |||
19 | # Supporting seccomp | ||
20 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, | ||
21 | |||
22 | # Supporting trace | ||
23 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | ||
24 | |||
25 | # Supporting tracelog | ||
26 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r, | ||