From 92679041124ae39ff6ed03c4bd96e7ef5f4cc487 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 21 Oct 2021 00:17:51 +0200
Subject: add basic Firejail support to AppArmor base abstraction (#3226)

---
 Makefile.in                |  6 +++++-
 etc/apparmor/firejail-base | 26 ++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 etc/apparmor/firejail-base

diff --git a/Makefile.in b/Makefile.in
index c94d8c7a4..11193122d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -144,9 +144,13 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
 	# install apparmor profile
 	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
 	install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
-	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
 	# install apparmor profile customization file
+	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
 	sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
+	# install apparmor base abstraction drop-in
+	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
+	sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
+	install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
 endif
 ifneq ($(HAVE_MAN),no)
 	# man pages
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
new file mode 100644
index 000000000..41e4ac2bf
--- /dev/null
+++ b/etc/apparmor/firejail-base
@@ -0,0 +1,26 @@
+#########################################
+# Firejail base abstraction drop-in
+#########################################
+
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+
+# Discovery of process names
+owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r,
+
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+
+# Library preloading
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr,
+
+# Supporting seccomp
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+
+# Supporting trace
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
+
+# Supporting tracelog
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r,
-- 
cgit v1.2.3-54-g00ecf