diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/apparmor/firejail-base | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base new file mode 100644 index 000000000..41e4ac2bf --- /dev/null +++ b/etc/apparmor/firejail-base | |||
@@ -0,0 +1,26 @@ | |||
1 | ######################################### | ||
2 | # Firejail base abstraction drop-in | ||
3 | ######################################### | ||
4 | |||
5 | # Adds basic Firejail support to AppArmor profiles. | ||
6 | # Please note: Firejail's nonewprivs and seccomp options | ||
7 | # are not compatible with AppArmor profile transitions. | ||
8 | |||
9 | # Discovery of process names | ||
10 | owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r, | ||
11 | |||
12 | ########## | ||
13 | # Following paths only exist inside a Firejail sandbox | ||
14 | ########## | ||
15 | |||
16 | # Library preloading | ||
17 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr, | ||
18 | |||
19 | # Supporting seccomp | ||
20 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, | ||
21 | |||
22 | # Supporting trace | ||
23 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | ||
24 | |||
25 | # Supporting tracelog | ||
26 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r, | ||