diff options
Diffstat (limited to 'etc/firejail-default')
-rw-r--r-- | etc/firejail-default | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default new file mode 100644 index 000000000..1b0eb7658 --- /dev/null +++ b/etc/firejail-default | |||
@@ -0,0 +1,154 @@ | |||
1 | ######################################### | ||
2 | # Generic Firejail AppArmor profile | ||
3 | ######################################### | ||
4 | |||
5 | ########## | ||
6 | # A simple PID declaration based on Ubuntu's @{pid} | ||
7 | # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. | ||
8 | # We don't know if this definition is available outside Debian and Ubuntu, so | ||
9 | # we declare our own here. | ||
10 | ########## | ||
11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} | ||
12 | |||
13 | profile firejail-default { | ||
14 | |||
15 | ########## | ||
16 | # D-Bus is a huge security hole. Uncomment this line if you need D-Bus | ||
17 | # functionality. | ||
18 | ########## | ||
19 | #dbus, | ||
20 | |||
21 | ########## | ||
22 | # Mask /proc and /sys information leakage. The configuration here is barely | ||
23 | # enough to run "top" or "ps aux". | ||
24 | ########## | ||
25 | / r, | ||
26 | /[^proc,^sys]** mrwlk, | ||
27 | /{,var/}run/ r, | ||
28 | /{,var/}run/** r, | ||
29 | /{,var/}run/user/**/dconf/ rw, | ||
30 | /{,var/}run/user/**/dconf/user rw, | ||
31 | /{,var/}run/user/**/pulse/ rw, | ||
32 | /{,var/}run/user/**/pulse/** rw, | ||
33 | /{,var/}run/firejail/mnt/fslogger r, | ||
34 | /{,var/}run/firejail/appimage r, | ||
35 | /{,var/}run/firejail/appimage/** r, | ||
36 | /{,var/}run/firejail/appimage/** ix, | ||
37 | /{run,dev}/shm/ r, | ||
38 | /{run,dev}/shm/** rmwk, | ||
39 | |||
40 | /proc/ r, | ||
41 | /proc/meminfo r, | ||
42 | /proc/cpuinfo r, | ||
43 | /proc/filesystems r, | ||
44 | /proc/uptime r, | ||
45 | /proc/loadavg r, | ||
46 | /proc/stat r, | ||
47 | |||
48 | /proc/@{PID}/ r, | ||
49 | /proc/@{PID}/fd/ r, | ||
50 | /proc/@{PID}/task/ r, | ||
51 | /proc/@{PID}/cmdline r, | ||
52 | /proc/@{PID}/comm r, | ||
53 | /proc/@{PID}/stat r, | ||
54 | /proc/@{PID}/statm r, | ||
55 | /proc/@{PID}/status r, | ||
56 | /proc/@{PID}/task/@{PID}/stat r, | ||
57 | /proc/sys/kernel/pid_max r, | ||
58 | /proc/sys/kernel/shmmax r, | ||
59 | /proc/sys/vm/overcommit_memory r, | ||
60 | /proc/sys/vm/overcommit_ratio r, | ||
61 | |||
62 | /sys/ r, | ||
63 | /sys/bus/ r, | ||
64 | /sys/bus/** r, | ||
65 | /sys/class/ r, | ||
66 | /sys/class/** r, | ||
67 | /sys/devices/ r, | ||
68 | /sys/devices/** r, | ||
69 | |||
70 | /proc/@{PID}/maps r, | ||
71 | /proc/@{PID}/mounts r, | ||
72 | /proc/@{PID}/mountinfo r, | ||
73 | /proc/@{PID}/oom_score_adj r, | ||
74 | |||
75 | ########## | ||
76 | # Allow running programs only from well-known system directories. If you need | ||
77 | # to run programs from your home directory, uncomment /home line. | ||
78 | ########## | ||
79 | /lib/** ix, | ||
80 | /lib64/** ix, | ||
81 | /bin/** ix, | ||
82 | /sbin/** ix, | ||
83 | /usr/bin/** ix, | ||
84 | /usr/sbin/** ix, | ||
85 | /usr/local/** ix, | ||
86 | /usr/lib/** ix, | ||
87 | /usr/games/** ix, | ||
88 | /opt/ r, | ||
89 | /opt/** r, | ||
90 | /opt/** ix, | ||
91 | #/home/** ix, | ||
92 | |||
93 | ########## | ||
94 | # Allow all networking functionality, and control it from Firejail. | ||
95 | ########## | ||
96 | network inet, | ||
97 | network inet6, | ||
98 | network unix, | ||
99 | network netlink, | ||
100 | network raw, | ||
101 | |||
102 | ########## | ||
103 | # There is no equivalent in Firejail for filtering signals. | ||
104 | ########## | ||
105 | signal, | ||
106 | |||
107 | ########## | ||
108 | # We let Firejail deal with capabilities. | ||
109 | ########## | ||
110 | capability chown, | ||
111 | capability dac_override, | ||
112 | capability dac_read_search, | ||
113 | capability fowner, | ||
114 | capability fsetid, | ||
115 | capability kill, | ||
116 | capability setgid, | ||
117 | capability setuid, | ||
118 | capability setpcap, | ||
119 | capability linux_immutable, | ||
120 | capability net_bind_service, | ||
121 | capability net_broadcast, | ||
122 | capability net_admin, | ||
123 | capability net_raw, | ||
124 | capability ipc_lock, | ||
125 | capability ipc_owner, | ||
126 | capability sys_module, | ||
127 | capability sys_rawio, | ||
128 | capability sys_chroot, | ||
129 | capability sys_ptrace, | ||
130 | capability sys_pacct, | ||
131 | capability sys_admin, | ||
132 | capability sys_boot, | ||
133 | capability sys_nice, | ||
134 | capability sys_resource, | ||
135 | capability sys_time, | ||
136 | capability sys_tty_config, | ||
137 | capability mknod, | ||
138 | capability lease, | ||
139 | capability audit_write, | ||
140 | capability audit_control, | ||
141 | capability setfcap, | ||
142 | capability mac_override, | ||
143 | capability mac_admin, | ||
144 | |||
145 | ########## | ||
146 | # We let Firejail deal with mount/umount functionality. | ||
147 | ########## | ||
148 | mount, | ||
149 | remount, | ||
150 | umount, | ||
151 | pivot_root, | ||
152 | |||
153 | } | ||
154 | |||