diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail-default | 103 |
1 files changed, 37 insertions, 66 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 09dc896e6..d6aeac75b 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -22,42 +22,30 @@ dbus, | |||
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. Usually this | 24 | # With ptrace it is possible to inspect and hijack running programs. Usually this |
25 | # is needed only for debugging. To allow ptrace, uncomment the following line | 25 | # is needed only for debugging. To allow ptrace, uncomment the following line. |
26 | ########## | 26 | ########## |
27 | #ptrace, | 27 | #ptrace, |
28 | 28 | ||
29 | ########## | 29 | ########## |
30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes | 30 | # Allow read access to whole filesystem and control it from firejail. |
31 | ########## | 31 | ########## |
32 | / r, | 32 | /{,**} rklm, |
33 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
34 | /run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
35 | 33 | ||
36 | /{,var/}run/ r, | 34 | ########## |
37 | /{,var/}run/** r, | 35 | # Allow write access to paths writable in firejail which aren't used for |
38 | /run/firejail/mnt/oroot/{,var/}run/ r, | 36 | # executing programs. /run, /proc and /sys are handled separately. |
39 | /run/firejail/mnt/oroot/{,var/}run/** r, | 37 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes. |
40 | 38 | ########## | |
41 | owner /{,var/}run/user/[0-9]*/** rw, | 39 | /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w, |
42 | owner /{,var/}run/user/[0-9]*/*.slave-socket rwl, | ||
43 | owner /{,var/}run/user/[0-9]*/orcexec.* rwkm, | ||
44 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw, | ||
45 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl, | ||
46 | owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm, | ||
47 | 40 | ||
48 | /{,var/}run/firejail/mnt/fslogger r, | 41 | ########## |
49 | /{,var/}run/firejail/appimage r, | 42 | # Whitelist writable paths under /run, /proc and /sys. |
50 | /{,var/}run/firejail/appimage/** r, | 43 | ########## |
51 | /{,var/}run/firejail/appimage/** ix, | 44 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, |
52 | /run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r, | 45 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, |
53 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage r, | 46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, |
54 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r, | ||
55 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix, | ||
56 | 47 | ||
57 | /{run,dev}/shm/ r, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
58 | owner /{run,dev}/shm/** rmwk, | ||
59 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | ||
60 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | ||
61 | 49 | ||
62 | # Allow logging Firejail blacklist violations to journal | 50 | # Allow logging Firejail blacklist violations to journal |
63 | /{,var/}run/systemd/journal/socket w, | 51 | /{,var/}run/systemd/journal/socket w, |
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
66 | # Needed for wine | 54 | # Needed for wine |
67 | /{,var/}run/firejail/profile/@{PID} w, | 55 | /{,var/}run/firejail/profile/@{PID} w, |
68 | 56 | ||
69 | ########## | 57 | # Allow access to cups printing socket. |
70 | # Allow /proc and /sys read-only access. | 58 | /{,var/}run/cups/cups.sock w, |
71 | # Blacklisting is controlled from userspace Firejail. | 59 | |
72 | ########## | 60 | # Needed for firefox sandbox |
73 | /proc/ r, | ||
74 | /proc/** r, | ||
75 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, | 61 | /proc/[0-9]*/{uid_map,gid_map,setgroups} w, |
76 | # Uncomment to silence all denied write warnings | 62 | |
77 | #deny /proc/** w, | 63 | # Silence noise |
78 | deny /proc/@{PID}/oom_adj w, | 64 | deny /proc/@{PID}/oom_adj w, |
79 | deny /proc/@{PID}/oom_score_adj w, | 65 | deny /proc/@{PID}/oom_score_adj w, |
80 | 66 | ||
81 | /sys/ r, | ||
82 | /sys/** r, | ||
83 | # Uncomment to silence all denied write warnings | 67 | # Uncomment to silence all denied write warnings |
84 | #deny /sys/** w, | 68 | #deny /proc/** w, |
85 | 69 | ||
86 | # Blacklist snapshots | 70 | # Uncomment to silence all denied write warnings |
87 | deny /**/.snapshots/ rwx, | 71 | #deny /sys/** w, |
88 | 72 | ||
89 | ########## | 73 | ########## |
90 | # Allow running programs only from well-known system directories. If you need | 74 | # Allow running programs only from well-known system directories. If you need |
91 | # to run programs from your home directory, uncomment /home line. | 75 | # to run programs from your home directory, uncomment /home line. |
92 | ########## | 76 | ########## |
93 | /lib/** ix, | 77 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, |
94 | /lib64/** ix, | 78 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, |
95 | /bin/** ix, | 79 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, |
96 | /sbin/** ix, | 80 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix, |
97 | /usr/bin/** ix, | 81 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, |
98 | /usr/sbin/** ix, | 82 | /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}home/** ix, |
99 | /usr/local/** ix, | 83 | |
100 | /usr/lib/** ix, | 84 | # Appimage support |
101 | /usr/lib64/** ix, | 85 | /{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix, |
102 | /usr/games/** ix, | ||
103 | /opt/** ix, | ||
104 | #/home/** ix, | ||
105 | /run/firejail/mnt/oroot/lib/** ix, | ||
106 | /run/firejail/mnt/oroot/lib64/** ix, | ||
107 | /run/firejail/mnt/oroot/bin/** ix, | ||
108 | /run/firejail/mnt/oroot/sbin/** ix, | ||
109 | /run/firejail/mnt/oroot/usr/bin/** ix, | ||
110 | /run/firejail/mnt/oroot/usr/sbin/** ix, | ||
111 | /run/firejail/mnt/oroot/usr/local/** ix, | ||
112 | /run/firejail/mnt/oroot/usr/lib/** ix, | ||
113 | /run/firejail/mnt/oroot/usr/lib64/** ix, | ||
114 | /run/firejail/mnt/oroot/usr/games/** ix, | ||
115 | /run/firejail/mnt/oroot/opt/** ix, | ||
116 | 86 | ||
117 | ########## | 87 | ########## |
118 | # Allow access to cups printing socket. | 88 | # Blacklist specific sensitive paths. |
119 | ########## | 89 | ########## |
120 | /run/cups/cups.sock w, | 90 | # Common backup directory |
91 | deny /**/.snapshots/ rwx, | ||
121 | 92 | ||
122 | ########## | 93 | ########## |
123 | # Allow all networking functionality, and control it from Firejail. | 94 | # Allow all networking functionality, and control it from Firejail. |