1 files changed, 154 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
new file mode 100644
index 000000000..1b0eb7658
--- /dev/null
+++ b/etc/firejail-default
@@ -0,0 +1,154 @@
+#########################################
+# Generic Firejail AppArmor profile
+#########################################
+##########
+# A simple PID declaration based on Ubuntu's @{pid}
+# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
+# We don't know if this definition is available outside Debian and Ubuntu, so
+# we declare our own here.
+##########
+@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
+profile firejail-default {
+##########
+# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
+# functionality.
+##########
+#dbus,
+##########
+# Mask /proc and /sys information leakage. The configuration here is barely
+# enough to run "top" or "ps aux".
+##########
+/ r,
+/[^proc,^sys]** mrwlk,
+/{,var/}run/ r,
+/{,var/}run/** r,
+/{,var/}run/user/**/dconf/ rw,
+/{,var/}run/user/**/dconf/user rw,
+/{,var/}run/user/**/pulse/ rw,
+/{,var/}run/user/**/pulse/** rw,
+/{,var/}run/firejail/mnt/fslogger r,
+/{,var/}run/firejail/appimage r,
+/{,var/}run/firejail/appimage/** r,
+/{,var/}run/firejail/appimage/** ix,
+/{run,dev}/shm/ r,
+/{run,dev}/shm/** rmwk,
+/proc/ r,
+/proc/meminfo r,
+/proc/cpuinfo r,
+/proc/filesystems r,
+/proc/uptime r,
+/proc/loadavg r,
+/proc/stat r,
+/proc/@{PID}/ r,
+/proc/@{PID}/fd/ r,
+/proc/@{PID}/task/ r,
+/proc/@{PID}/cmdline r,
+/proc/@{PID}/comm r,
+/proc/@{PID}/stat r,
+/proc/@{PID}/statm r,
+/proc/@{PID}/status r,
+/proc/@{PID}/task/@{PID}/stat r,
+/proc/sys/kernel/pid_max r,
+/proc/sys/kernel/shmmax r,
+/proc/sys/vm/overcommit_memory r,
+/proc/sys/vm/overcommit_ratio r,
+/sys/ r,
+/sys/bus/ r,
+/sys/bus/** r,
+/sys/class/ r,
+/sys/class/** r,
+/sys/devices/ r,
+/sys/devices/** r,
+/proc/@{PID}/maps r,
+/proc/@{PID}/mounts r,
+/proc/@{PID}/mountinfo r,
+/proc/@{PID}/oom_score_adj r,
+##########
+# Allow running programs only from well-known system directories. If you need
+# to run programs from your home directory, uncomment /home line.
+##########
+/lib/** ix,
+/lib64/** ix,
+/bin/** ix,
+/sbin/** ix,
+/usr/bin/** ix,
+/usr/sbin/** ix,
+/usr/local/** ix,
+/usr/lib/** ix,
+/usr/games/** ix,
+/opt/ r,
+/opt/** r,
+/opt/** ix,
+#/home/** ix,
+##########
+# Allow all networking functionality, and control it from Firejail.
+##########
+network inet,
+network inet6,
+network unix,
+network netlink,
+network raw,
+##########
+# There is no equivalent in Firejail for filtering signals.
+##########
+signal,
+##########
+# We let Firejail deal with capabilities.
+##########
+capability chown,
+capability dac_override,
+capability dac_read_search,
+capability fowner,
+capability fsetid,
+capability kill,
+capability setgid,
+capability setuid,
+capability setpcap,
+capability linux_immutable,
+capability net_bind_service,
+capability net_broadcast,
+capability net_admin,
+capability net_raw,
+capability ipc_lock,
+capability ipc_owner,
+capability sys_module,
+capability sys_rawio,
+capability sys_chroot,
+capability sys_ptrace,
+capability sys_pacct,
+capability sys_admin,
+capability sys_boot,
+capability sys_nice,
+capability sys_resource,
+capability sys_time,
+capability sys_tty_config,
+capability mknod,
+capability lease,
+capability audit_write,
+capability audit_control,
+capability setfcap,
+capability mac_override,
+capability mac_admin,
+##########
+# We let Firejail deal with mount/umount functionality.
+##########
+mount,
+remount,
+umount,
+pivot_root,
+}

diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..1b0eb7658 --- /dev/null +++ b/etc/firejail-default
@@ -0,0 +1,154 @@
	1	#########################################
	2	# Generic Firejail AppArmor profile
	3	#########################################
	4
	5	##########
	6	# A simple PID declaration based on Ubuntu's @{pid}
	7	# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
	8	# We don't know if this definition is available outside Debian and Ubuntu, so
	9	# we declare our own here.
	10	##########
	11	@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
	12
	13	profile firejail-default {
	14
	15	##########
	16	# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
	17	# functionality.
	18	##########
	19	#dbus,
	20
	21	##########
	22	# Mask /proc and /sys information leakage. The configuration here is barely
	23	# enough to run "top" or "ps aux".
	24	##########
	25	/ r,
	26	/[^proc,^sys]** mrwlk,
	27	/{,var/}run/ r,
	28	/{,var/}run/** r,
	29	/{,var/}run/user/**/dconf/ rw,
	30	/{,var/}run/user/**/dconf/user rw,
	31	/{,var/}run/user/**/pulse/ rw,
	32	/{,var/}run/user//pulse/ rw,
	33	/{,var/}run/firejail/mnt/fslogger r,
	34	/{,var/}run/firejail/appimage r,
	35	/{,var/}run/firejail/appimage/** r,
	36	/{,var/}run/firejail/appimage/** ix,
	37	/{run,dev}/shm/ r,
	38	/{run,dev}/shm/** rmwk,
	39
	40	/proc/ r,
	41	/proc/meminfo r,
	42	/proc/cpuinfo r,
	43	/proc/filesystems r,
	44	/proc/uptime r,
	45	/proc/loadavg r,
	46	/proc/stat r,
	47
	48	/proc/@{PID}/ r,
	49	/proc/@{PID}/fd/ r,
	50	/proc/@{PID}/task/ r,
	51	/proc/@{PID}/cmdline r,
	52	/proc/@{PID}/comm r,
	53	/proc/@{PID}/stat r,
	54	/proc/@{PID}/statm r,
	55	/proc/@{PID}/status r,
	56	/proc/@{PID}/task/@{PID}/stat r,
	57	/proc/sys/kernel/pid_max r,
	58	/proc/sys/kernel/shmmax r,
	59	/proc/sys/vm/overcommit_memory r,
	60	/proc/sys/vm/overcommit_ratio r,
	61
	62	/sys/ r,
	63	/sys/bus/ r,
	64	/sys/bus/** r,
	65	/sys/class/ r,
	66	/sys/class/** r,
	67	/sys/devices/ r,
	68	/sys/devices/** r,
	69
	70	/proc/@{PID}/maps r,
	71	/proc/@{PID}/mounts r,
	72	/proc/@{PID}/mountinfo r,
	73	/proc/@{PID}/oom_score_adj r,
	74
	75	##########
	76	# Allow running programs only from well-known system directories. If you need
	77	# to run programs from your home directory, uncomment /home line.
	78	##########
	79	/lib/** ix,
	80	/lib64/** ix,
	81	/bin/** ix,
	82	/sbin/** ix,
	83	/usr/bin/** ix,
	84	/usr/sbin/** ix,
	85	/usr/local/** ix,
	86	/usr/lib/** ix,
	87	/usr/games/** ix,
	88	/opt/ r,
	89	/opt/** r,
	90	/opt/** ix,
	91	#/home/** ix,
	92
	93	##########
	94	# Allow all networking functionality, and control it from Firejail.
	95	##########
	96	network inet,
	97	network inet6,
	98	network unix,
	99	network netlink,
	100	network raw,
	101
	102	##########
	103	# There is no equivalent in Firejail for filtering signals.
	104	##########
	105	signal,
	106
	107	##########
	108	# We let Firejail deal with capabilities.
	109	##########
	110	capability chown,
	111	capability dac_override,
	112	capability dac_read_search,
	113	capability fowner,
	114	capability fsetid,
	115	capability kill,
	116	capability setgid,
	117	capability setuid,
	118	capability setpcap,
	119	capability linux_immutable,
	120	capability net_bind_service,
	121	capability net_broadcast,
	122	capability net_admin,
	123	capability net_raw,
	124	capability ipc_lock,
	125	capability ipc_owner,
	126	capability sys_module,
	127	capability sys_rawio,
	128	capability sys_chroot,
	129	capability sys_ptrace,
	130	capability sys_pacct,
	131	capability sys_admin,
	132	capability sys_boot,
	133	capability sys_nice,
	134	capability sys_resource,
	135	capability sys_time,
	136	capability sys_tty_config,
	137	capability mknod,
	138	capability lease,
	139	capability audit_write,
	140	capability audit_control,
	141	capability setfcap,
	142	capability mac_override,
	143	capability mac_admin,
	144
	145	##########
	146	# We let Firejail deal with mount/umount functionality.
	147	##########
	148	mount,
	149	remount,
	150	umount,
	151	pivot_root,
	152
	153	}
	154