diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/firejail-default | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/etc/firejail-default b/etc/firejail-default index 842d5a0c4..5ebdccc00 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -61,6 +61,9 @@ owner /{run,dev}/shm/** rmwk, | |||
| 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, |
| 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, |
| 63 | 63 | ||
| 64 | # Needed for wine | ||
| 65 | /{,var/}run/firejail/profile/@{PID} w, | ||
| 66 | |||
| 64 | ########## | 67 | ########## |
| 65 | # Mask /proc and /sys information leakage. The configuration here is barely | 68 | # Mask /proc and /sys information leakage. The configuration here is barely |
| 66 | # enough to run "top" or "ps aux". | 69 | # enough to run "top" or "ps aux". |
| @@ -74,6 +77,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
| 74 | /proc/stat r, | 77 | /proc/stat r, |
| 75 | /proc/sys/kernel/pid_max r, | 78 | /proc/sys/kernel/pid_max r, |
| 76 | /proc/sys/kernel/shmmax r, | 79 | /proc/sys/kernel/shmmax r, |
| 80 | /proc/sys/kernel/yama/ptrace_scope r, | ||
| 77 | /proc/sys/vm/overcommit_memory r, | 81 | /proc/sys/vm/overcommit_memory r, |
| 78 | /proc/sys/vm/overcommit_ratio r, | 82 | /proc/sys/vm/overcommit_ratio r, |
| 79 | /proc/sys/kernel/random/uuid r, | 83 | /proc/sys/kernel/random/uuid r, |
| @@ -95,15 +99,22 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
| 95 | /proc/@{PID}/statm r, | 99 | /proc/@{PID}/statm r, |
| 96 | /proc/@{PID}/status r, | 100 | /proc/@{PID}/status r, |
| 97 | /proc/@{PID}/task/@{PID}/stat r, | 101 | /proc/@{PID}/task/@{PID}/stat r, |
| 102 | /proc/@{PID}/task/@{PID}/status r, | ||
| 98 | /proc/@{PID}/maps r, | 103 | /proc/@{PID}/maps r, |
| 104 | /proc/@{PID}/mem r, | ||
| 99 | /proc/@{PID}/mounts r, | 105 | /proc/@{PID}/mounts r, |
| 100 | /proc/@{PID}/mountinfo r, | 106 | /proc/@{PID}/mountinfo r, |
| 107 | owner /proc/@{PID}/oom_adj w, | ||
| 101 | /proc/@{PID}/oom_score_adj r, | 108 | /proc/@{PID}/oom_score_adj r, |
| 109 | owner /proc/@{PID}/oom_score_adj w, | ||
| 102 | /proc/@{PID}/auxv r, | 110 | /proc/@{PID}/auxv r, |
| 103 | /proc/@{PID}/net/dev r, | 111 | /proc/@{PID}/net/dev r, |
| 104 | /proc/@{PID}/loginuid r, | 112 | /proc/@{PID}/loginuid r, |
| 105 | /proc/@{PID}/environ r, | 113 | /proc/@{PID}/environ r, |
| 106 | 114 | ||
| 115 | # Needed for chromium | ||
| 116 | ptrace (trace tracedby), | ||
| 117 | |||
| 107 | ########## | 118 | ########## |
| 108 | # Allow running programs only from well-known system directories. If you need | 119 | # Allow running programs only from well-known system directories. If you need |
| 109 | # to run programs from your home directory, uncomment /home line. | 120 | # to run programs from your home directory, uncomment /home line. |
| @@ -135,6 +146,11 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | |||
| 135 | /run/firejail/mnt/oroot/opt/** ix, | 146 | /run/firejail/mnt/oroot/opt/** ix, |
| 136 | 147 | ||
| 137 | ########## | 148 | ########## |
| 149 | # Allow acces to cups printing socket | ||
| 150 | ########## | ||
| 151 | /run/cups/cups.sock w, | ||
| 152 | |||
| 153 | ########## | ||
| 138 | # Allow all networking functionality, and control it from Firejail. | 154 | # Allow all networking functionality, and control it from Firejail. |
| 139 | ########## | 155 | ########## |
| 140 | network inet, | 156 | network inet, |