From d2a18552e2141126c85ce2011c524c182043bddb Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Sun, 21 Jan 2018 16:50:21 +0000
Subject: Apparmor: restrict access

Access to writable files can be restricted to their owner only.
---
 etc/firejail-default | 50 +++++++++++++++++++++++++-------------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/etc/firejail-default b/etc/firejail-default
index eb50d6c65..4d79f9b29 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -26,19 +26,19 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
 /{,var/}run/ r,
 /{,var/}run/** r,
-/{,var/}run/user/**/dconf/ rw,
-/{,var/}run/user/**/dconf/user rw,
-/{,var/}run/user/**/pulse/ rw,
-/{,var/}run/user/**/pulse/** rw,
-/{,var/}run/user/**/*.slave-socket rwl,
-/{,var/}run/user/**/#@{PID} rw,
-/{,var/}run/user/**/orcexec.* rwkm,
+owner /{,var/}run/user/**/dconf/ rw,
+owner /{,var/}run/user/**/dconf/user rw,
+owner /{,var/}run/user/**/pulse/ rw,
+owner /{,var/}run/user/**/pulse/** rw,
+owner /{,var/}run/user/**/*.slave-socket rwl,
+owner /{,var/}run/user/**/#@{PID} rw,
+owner /{,var/}run/user/**/orcexec.* rwkm,
 /{,var/}run/firejail/mnt/fslogger r,
 /{,var/}run/firejail/appimage r,
 /{,var/}run/firejail/appimage/** r,
 /{,var/}run/firejail/appimage/** ix,
 /{run,dev}/shm/ r,
-/{run,dev}/shm/** rmwk,
+owner /{run,dev}/shm/** rmwk,
 
 /proc/ r,
 /proc/meminfo r,
@@ -61,23 +61,23 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 /sys/devices/ r,
 /sys/devices/** r,
 
-/proc/@{PID}/ r,
-/proc/@{PID}/fd/ r,
-/proc/@{PID}/task/ r,
-/proc/@{PID}/cmdline r,
-/proc/@{PID}/comm r,
-/proc/@{PID}/stat r,
-/proc/@{PID}/statm r,
-/proc/@{PID}/status r,
-/proc/@{PID}/task/@{PID}/stat r,
-/proc/@{PID}/maps r,
-/proc/@{PID}/mounts r,
-/proc/@{PID}/mountinfo r,
-/proc/@{PID}/oom_score_adj r,
-/proc/@{PID}/auxv r,
-/proc/@{PID}/net/dev r,
-/proc/@{PID}/loginuid r,
-/proc/@{PID}/environ r,
+owner /proc/@{PID}/ r,
+owner /proc/@{PID}/fd/ r,
+owner /proc/@{PID}/task/ r,
+owner /proc/@{PID}/cmdline r,
+owner /proc/@{PID}/comm r,
+owner /proc/@{PID}/stat r,
+owner /proc/@{PID}/statm r,
+owner /proc/@{PID}/status r,
+owner /proc/@{PID}/task/@{PID}/stat r,
+owner /proc/@{PID}/maps r,
+owner /proc/@{PID}/mounts r,
+owner /proc/@{PID}/mountinfo r,
+owner /proc/@{PID}/oom_score_adj r,
+owner /proc/@{PID}/auxv r,
+owner /proc/@{PID}/net/dev r,
+owner /proc/@{PID}/loginuid r,
+owner /proc/@{PID}/environ r,
 
 ##########
 # Allow running programs only from well-known system directories. If you need
-- 
cgit v1.2.3-70-g09d2


From b20d1041d545cf325ae6050e6d31ab7b8b341b72 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Mon, 22 Jan 2018 12:55:05 +0000
Subject: Apparmor: fix kodi plugins

Kodi plugins need /proc/@PID/net/dev access outside user processes:
AVC apparmor="DENIED" operation="open" profile="firejail-default" name="/proc/28/net/dev" pid=2354 comm="kodi.bin" requested_mask="r" denied_mask="r"
---
 etc/firejail-default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/firejail-default b/etc/firejail-default
index 4d79f9b29..b5d5a2738 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -75,7 +75,7 @@ owner /proc/@{PID}/mounts r,
 owner /proc/@{PID}/mountinfo r,
 owner /proc/@{PID}/oom_score_adj r,
 owner /proc/@{PID}/auxv r,
-owner /proc/@{PID}/net/dev r,
+/proc/@{PID}/net/dev r,
 owner /proc/@{PID}/loginuid r,
 owner /proc/@{PID}/environ r,
 
-- 
cgit v1.2.3-70-g09d2


From b3d310df7f22602ab2beb2435a03aba194e650f7 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Tue, 23 Jan 2018 09:09:59 +0000
Subject: Apparmor: Revert /proc changes

---
 etc/firejail-default | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/etc/firejail-default b/etc/firejail-default
index b5d5a2738..e5010eaab 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -61,23 +61,23 @@ owner /{run,dev}/shm/** rmwk,
 /sys/devices/ r,
 /sys/devices/** r,
 
-owner /proc/@{PID}/ r,
-owner /proc/@{PID}/fd/ r,
-owner /proc/@{PID}/task/ r,
-owner /proc/@{PID}/cmdline r,
-owner /proc/@{PID}/comm r,
-owner /proc/@{PID}/stat r,
-owner /proc/@{PID}/statm r,
-owner /proc/@{PID}/status r,
-owner /proc/@{PID}/task/@{PID}/stat r,
-owner /proc/@{PID}/maps r,
-owner /proc/@{PID}/mounts r,
-owner /proc/@{PID}/mountinfo r,
-owner /proc/@{PID}/oom_score_adj r,
-owner /proc/@{PID}/auxv r,
+/proc/@{PID}/ r,
+/proc/@{PID}/fd/ r,
+/proc/@{PID}/task/ r,
+/proc/@{PID}/cmdline r,
+/proc/@{PID}/comm r,
+/proc/@{PID}/stat r,
+/proc/@{PID}/statm r,
+/proc/@{PID}/status r,
+/proc/@{PID}/task/@{PID}/stat r,
+/proc/@{PID}/maps r,
+/proc/@{PID}/mounts r,
+/proc/@{PID}/mountinfo r,
+/proc/@{PID}/oom_score_adj r,
+/proc/@{PID}/auxv r,
 /proc/@{PID}/net/dev r,
-owner /proc/@{PID}/loginuid r,
-owner /proc/@{PID}/environ r,
+/proc/@{PID}/loginuid r,
+/proc/@{PID}/environ r,
 
 ##########
 # Allow running programs only from well-known system directories. If you need
-- 
cgit v1.2.3-70-g09d2