diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail-default | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 56fce654c..5b63503fc 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -22,12 +22,11 @@ dbus, | |||
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # With ptrace it is possible to inspect and hijack running programs. | 24 | # With ptrace it is possible to inspect and hijack running programs. |
25 | # Some browsers are also using ptrace for their sandboxing. | ||
26 | ########## | 25 | ########## |
27 | # Uncomment this line to allow all ptrace access | 26 | # Uncomment this line to allow all ptrace access |
28 | #ptrace, | 27 | #ptrace, |
29 | # Allow obtaining some process information, but not ptrace(2) | 28 | # Allow obtaining some process information, but not ptrace(2) |
30 | ptrace (read,readby) peer=firejail-default, | 29 | ptrace (read,readby) peer=@{profile_name}, |
31 | 30 | ||
32 | ########## | 31 | ########## |
33 | # Allow read access to whole filesystem and control it from firejail. | 32 | # Allow read access to whole filesystem and control it from firejail. |
@@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default, | |||
46 | ########## | 45 | ########## |
47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, | 46 | owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, |
48 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, | 47 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, |
49 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w, | ||
50 | owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w, | ||
51 | |||
52 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, | 48 | owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, |
53 | 49 | ||
54 | # Allow writing to removable media | 50 | # Allow writing to removable media |
@@ -58,9 +54,6 @@ owner /{,var/}run/media/** w, | |||
58 | /{,var/}run/systemd/journal/socket w, | 54 | /{,var/}run/systemd/journal/socket w, |
59 | /{,var/}run/systemd/journal/dev-log w, | 55 | /{,var/}run/systemd/journal/dev-log w, |
60 | 56 | ||
61 | # Needed for wine | ||
62 | /{,var/}run/firejail/profile/@{PID} w, | ||
63 | |||
64 | # Allow access to cups printing socket. | 57 | # Allow access to cups printing socket. |
65 | /{,var/}run/cups/cups.sock w, | 58 | /{,var/}run/cups/cups.sock w, |
66 | 59 | ||
@@ -94,11 +87,10 @@ deny /proc/@{PID}/oom_score_adj w, | |||
94 | ########## | 87 | ########## |
95 | # Blacklist specific sensitive paths. | 88 | # Blacklist specific sensitive paths. |
96 | ########## | 89 | ########## |
97 | # Common backup directory | 90 | deny /**/.fscrypt/ rw, |
98 | deny /**/.snapshots/ rwx, | 91 | deny /**/.fscrypt/** rwklmx, |
99 | 92 | deny /**/.snapshots/ rw, | |
100 | # fscrypt | 93 | deny /**/.snapshots/** rwklmx, |
101 | deny /**/.fscrypt/ rwx, | ||
102 | 94 | ||
103 | ########## | 95 | ########## |
104 | # Allow all networking functionality, and control it from Firejail. | 96 | # Allow all networking functionality, and control it from Firejail. |