diff options
Diffstat (limited to 'etc/apparmor')
-rw-r--r-- | etc/apparmor/firejail-default | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default new file mode 100644 index 000000000..e68e51c63 --- /dev/null +++ b/etc/apparmor/firejail-default | |||
@@ -0,0 +1,155 @@ | |||
1 | ######################################### | ||
2 | # Generic Firejail AppArmor profile | ||
3 | ######################################### | ||
4 | |||
5 | ########## | ||
6 | # A simple PID declaration based on Ubuntu's @{pid} | ||
7 | # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. | ||
8 | # We don't know if this definition is available outside Debian and Ubuntu, so | ||
9 | # we declare our own here. | ||
10 | ########## | ||
11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} | ||
12 | |||
13 | profile firejail-default flags=(attach_disconnected,mediate_deleted) { | ||
14 | |||
15 | ########## | ||
16 | # Allow D-Bus access. It may negatively affect security. Comment those lines or | ||
17 | # use 'nodbus' option in profile if you don't need D-Bus functionality. | ||
18 | ########## | ||
19 | #include <abstractions/dbus-strict> | ||
20 | #include <abstractions/dbus-session-strict> | ||
21 | dbus, | ||
22 | |||
23 | ########## | ||
24 | # With ptrace it is possible to inspect and hijack running programs. | ||
25 | ########## | ||
26 | # Uncomment this line to allow all ptrace access | ||
27 | #ptrace, | ||
28 | # Allow obtaining some process information, but not ptrace(2) | ||
29 | ptrace (read,readby) peer=@{profile_name}, | ||
30 | |||
31 | ########## | ||
32 | # Allow read access to whole filesystem and control it from firejail. | ||
33 | ########## | ||
34 | /{,**} rklm, | ||
35 | |||
36 | ########## | ||
37 | # Allow write access to paths writable in firejail which aren't used for | ||
38 | # executing programs. /run, /proc and /sys are handled separately. | ||
39 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes. | ||
40 | ########## | ||
41 | /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w, | ||
42 | |||
43 | ########## | ||
44 | # Whitelist writable paths under /run, /proc and /sys. | ||
45 | ########## | ||
46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | ||
47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, | ||
48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, | ||
49 | |||
50 | # Allow writing to removable media | ||
51 | owner /{,var/}run/media/** w, | ||
52 | |||
53 | # Allow logging Firejail blacklist violations to journal | ||
54 | /{,var/}run/systemd/journal/socket w, | ||
55 | /{,var/}run/systemd/journal/dev-log w, | ||
56 | |||
57 | # Allow access to cups printing socket. | ||
58 | /{,var/}run/cups/cups.sock w, | ||
59 | |||
60 | # Allow access to pcscd socket (smartcards) | ||
61 | /{,var/}run/pcscd/pcscd.comm w, | ||
62 | |||
63 | # Needed for browser self-sandboxing | ||
64 | owner /proc/@{PID}/{uid_map,gid_map,setgroups} w, | ||
65 | |||
66 | # Needed for electron apps | ||
67 | /proc/@{PID}/comm w, | ||
68 | # Needed for nslookup, dig, host | ||
69 | /proc/@{PID}/task/@{PID}/comm w, | ||
70 | |||
71 | # Used by chromium | ||
72 | owner /proc/@{PID}/oom_score_adj w, | ||
73 | owner /proc/@{PID}/clear_refs w, | ||
74 | |||
75 | ########## | ||
76 | # Allow running programs only from well-known system directories. If you need | ||
77 | # to run programs from your home directory, uncomment /home line. | ||
78 | ########## | ||
79 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, | ||
80 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, | ||
81 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, | ||
82 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix, | ||
83 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, | ||
84 | #/{,run/firejail/mnt/oroot/}home/** ix, | ||
85 | |||
86 | # Appimage support | ||
87 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix, | ||
88 | |||
89 | ########## | ||
90 | # Blacklist specific sensitive paths. | ||
91 | ########## | ||
92 | deny /**/.fscrypt/ rw, | ||
93 | deny /**/.fscrypt/** rwklmx, | ||
94 | deny /**/.snapshots/ rw, | ||
95 | deny /**/.snapshots/** rwklmx, | ||
96 | |||
97 | ########## | ||
98 | # Allow all networking functionality, and control it from Firejail. | ||
99 | ########## | ||
100 | network inet, | ||
101 | network inet6, | ||
102 | network unix, | ||
103 | network netlink, | ||
104 | network raw, | ||
105 | # needed for wireshark | ||
106 | network packet, | ||
107 | |||
108 | ########## | ||
109 | # There is no equivalent in Firejail for filtering signals. | ||
110 | ########## | ||
111 | signal (send) peer=@{profile_name}, | ||
112 | signal (receive), | ||
113 | |||
114 | ########## | ||
115 | # We let Firejail deal with capabilities, but ensure that | ||
116 | # some AppArmor related capabilities will not be available. | ||
117 | ########## | ||
118 | capability chown, | ||
119 | capability dac_override, | ||
120 | capability dac_read_search, | ||
121 | capability fowner, | ||
122 | capability fsetid, | ||
123 | capability kill, | ||
124 | capability setgid, | ||
125 | capability setuid, | ||
126 | capability setpcap, | ||
127 | capability linux_immutable, | ||
128 | capability net_bind_service, | ||
129 | capability net_broadcast, | ||
130 | capability net_admin, | ||
131 | capability net_raw, | ||
132 | capability ipc_lock, | ||
133 | capability ipc_owner, | ||
134 | capability sys_module, | ||
135 | capability sys_rawio, | ||
136 | capability sys_chroot, | ||
137 | capability sys_ptrace, | ||
138 | capability sys_pacct, | ||
139 | capability sys_admin, | ||
140 | capability sys_boot, | ||
141 | capability sys_nice, | ||
142 | capability sys_resource, | ||
143 | capability sys_time, | ||
144 | capability sys_tty_config, | ||
145 | capability mknod, | ||
146 | capability lease, | ||
147 | #capability audit_write, | ||
148 | #capability audit_control, | ||
149 | capability setfcap, | ||
150 | #capability mac_override, | ||
151 | #capability mac_admin, | ||
152 | |||
153 | # Site-specific additions and overrides. See local/README for details. | ||
154 | #include <local/firejail-local> | ||
155 | } | ||