From bade3d03e0234685e1e9b52ea155392c153950f1 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Wed, 7 Feb 2018 16:04:14 +0000
Subject: Apparmor: fix various denials

Fixes following erros:

wine:
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/11526" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/5807" pid=11533 comm="wine" requested_mask="d" denied_mask="d" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="unlink" profile="firejail-default" name="/run/firejail/profile/2017" pid=11533 comm="wine" requested_mask="d"

cups:
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/cups/cups.sock" pid=11682 comm="lpr" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

chromium:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/mem" pid=7858 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/8/oom_score_adj" pid=7858 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/11/mem" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7861 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="chromium" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="trace" denied_mask="trace" peer="firejail-default"
AVC apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=7858 comm="TaskSchedulerBa" requested_mask="tracedby" denied_mask="tracedby" peer="firejail-default"
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/mem" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/46/oom_score_adj" pid=7897 comm="chromium" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/sys/kernel/yama/ptrace_scope" pid=7897 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_score_adj" pid=7910 comm="chrome-sandbox" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/58/oom_adj" pid=7910 comm="chrome-sandbox" requested_mask="w"
---
 etc/firejail-default | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/etc/firejail-default b/etc/firejail-default
index 842d5a0c4..5ebdccc00 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -61,6 +61,9 @@ owner /{run,dev}/shm/** rmwk,
 /run/firejail/mnt/oroot/{run,dev}/shm/ r,
 owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 
+# Needed for wine
+/{,var/}run/firejail/profile/@{PID} w,
+
 ##########
 # Mask /proc and /sys information leakage. The configuration here is barely
 # enough to run "top" or "ps aux".
@@ -74,6 +77,7 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /proc/stat r,
 /proc/sys/kernel/pid_max r,
 /proc/sys/kernel/shmmax r,
+/proc/sys/kernel/yama/ptrace_scope r,
 /proc/sys/vm/overcommit_memory r,
 /proc/sys/vm/overcommit_ratio r,
 /proc/sys/kernel/random/uuid r,
@@ -95,15 +99,22 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /proc/@{PID}/statm r,
 /proc/@{PID}/status r,
 /proc/@{PID}/task/@{PID}/stat r,
+/proc/@{PID}/task/@{PID}/status r,
 /proc/@{PID}/maps r,
+/proc/@{PID}/mem r,
 /proc/@{PID}/mounts r,
 /proc/@{PID}/mountinfo r,
+owner /proc/@{PID}/oom_adj w,
 /proc/@{PID}/oom_score_adj r,
+owner /proc/@{PID}/oom_score_adj w,
 /proc/@{PID}/auxv r,
 /proc/@{PID}/net/dev r,
 /proc/@{PID}/loginuid r,
 /proc/@{PID}/environ r,
 
+# Needed for chromium
+ptrace (trace tracedby),
+
 ##########
 # Allow running programs only from well-known system directories. If you need
 # to run programs from your home directory, uncomment /home line.
@@ -134,6 +145,11 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 /run/firejail/mnt/oroot/opt/** r,
 /run/firejail/mnt/oroot/opt/** ix,
 
+##########
+# Allow acces to cups printing socket
+##########
+/run/cups/cups.sock w,
+
 ##########
 # Allow all networking functionality, and control it from Firejail.
 ##########
-- 
cgit v1.2.3-70-g09d2