diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/apparmor/firejail-base | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base index 41e4ac2bf..6e286d4af 100644 --- a/etc/apparmor/firejail-base +++ b/etc/apparmor/firejail-base | |||
@@ -1,26 +1,27 @@ | |||
1 | ######################################### | 1 | ######################################### |
2 | # Firejail base abstraction drop-in | 2 | # Firejail base abstraction drop-in |
3 | ######################################### | 3 | # |
4 | |||
5 | # Adds basic Firejail support to AppArmor profiles. | 4 | # Adds basic Firejail support to AppArmor profiles. |
6 | # Please note: Firejail's nonewprivs and seccomp options | 5 | # Please note: Firejail's nonewprivs and seccomp options |
7 | # are not compatible with AppArmor profile transitions. | 6 | # are not compatible with AppArmor profile transitions. |
7 | # Also there is no support for Firejail chroot options. | ||
8 | ######################################### | ||
8 | 9 | ||
9 | # Discovery of process names | 10 | # Discovery of process names |
10 | owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r, | 11 | owner /proc/@{pid}/comm r, |
11 | 12 | ||
12 | ########## | 13 | ########## |
13 | # Following paths only exist inside a Firejail sandbox | 14 | # Following paths only exist inside a Firejail sandbox |
14 | ########## | 15 | ########## |
15 | 16 | ||
16 | # Library preloading | 17 | # Library preloading |
17 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr, | 18 | /{,var/}run/firejail/lib/*.so mr, |
18 | 19 | ||
19 | # Supporting seccomp | 20 | # Supporting seccomp |
20 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, | 21 | owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, |
21 | 22 | ||
22 | # Supporting trace | 23 | # Supporting trace |
23 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 24 | owner /{,var/}run/firejail/mnt/trace w, |
24 | 25 | ||
25 | # Supporting tracelog | 26 | # Supporting tracelog |
26 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r, | 27 | /{,var/}run/firejail/mnt/fslogger r, |