From 20c1ecc0609874bcb090d3c7bed81639617520d4 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Wed, 14 Feb 2018 17:17:25 +0000
Subject: Apparmor: blacklist /proc and /sys access from firejail

Firejail does blacklisting sensitive /proc and /sys files on its own: https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L530

There is no need to duplicate this in apparmor using whitelisting approach which is much harder to do and needs never ending maintenance.
---
 etc/firejail-default | 48 ++++++------------------------------------------
 1 file changed, 6 insertions(+), 42 deletions(-)

diff --git a/etc/firejail-default b/etc/firejail-default
index f96149bb7..3768e6970 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -57,52 +57,16 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /{,var/}run/firejail/profile/@{PID} w,
 
 ##########
-# Mask /proc and /sys information leakage. The configuration here is barely
-# enough to run "top" or "ps aux".
+# Allow /proc and /sys read-only access.
+# Blacklisting is controlled from Firejail.
 ##########
 /proc/ r,
-/proc/meminfo r,
-/proc/cpuinfo r,
-/proc/filesystems r,
-/proc/uptime r,
-/proc/loadavg r,
-/proc/stat r,
-/proc/sys/kernel/pid_max r,
-/proc/sys/kernel/shmmax r,
-/proc/sys/kernel/yama/ptrace_scope r,
-/proc/sys/vm/overcommit_memory r,
-/proc/sys/vm/overcommit_ratio r,
-/proc/sys/kernel/random/uuid r,
+/proc/** r,
+deny /proc/** w,
 
 /sys/ r,
-/sys/bus/ r,
-/sys/bus/** r,
-/sys/class/ r,
-/sys/class/** r,
-/sys/devices/ r,
-/sys/devices/** r,
-
-/proc/@{PID}/ r,
-/proc/@{PID}/fd/ r,
-/proc/@{PID}/task/ r,
-/proc/@{PID}/cmdline r,
-/proc/@{PID}/comm r,
-/proc/@{PID}/stat r,
-/proc/@{PID}/statm r,
-/proc/@{PID}/status r,
-/proc/@{PID}/task/@{PID}/stat r,
-/proc/@{PID}/task/@{PID}/status r,
-/proc/@{PID}/maps r,
-/proc/@{PID}/mem r,
-/proc/@{PID}/mounts r,
-/proc/@{PID}/mountinfo r,
-deny /proc/@{PID}/oom_adj w,
-/proc/@{PID}/oom_score_adj r,
-deny /proc/@{PID}/oom_score_adj w,
-/proc/@{PID}/auxv r,
-/proc/@{PID}/net/dev r,
-/proc/@{PID}/loginuid r,
-/proc/@{PID}/environ r,
+/sys/** r,
+deny /sys/** w,
 
 # Needed by chromium crash handler. Uncomment if you need it.
 #ptrace (trace tracedby),
-- 
cgit v1.2.3-54-g00ecf