From e8da6c2f487b52d4b8ad362c78d841047e46d9ec Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 12 Nov 2019 19:14:17 +0100
Subject: some apparmor profile cleanup

writing in /run/firejail/profile has always been restricted to root user,
and in addition this folder is blacklisted since recently; @{profile_name}
is built-in and adds a bit of flexibility; apparmor cannot be used to
restrict directory search permission, so add more rules for sensitive
paths
---
 etc/firejail-default | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/etc/firejail-default b/etc/firejail-default
index 56fce654c..5b63503fc 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -22,12 +22,11 @@ dbus,
 
 ##########
 # With ptrace it is possible to inspect and hijack running programs.
-# Some browsers are also using ptrace for their sandboxing.
 ##########
 # Uncomment this line to allow all ptrace access
 #ptrace,
 # Allow obtaining some process information, but not ptrace(2)
-ptrace (read,readby) peer=firejail-default,
+ptrace (read,readby) peer=@{profile_name},
 
 ##########
 # Allow read access to whole filesystem and control it from firejail.
@@ -46,9 +45,6 @@ ptrace (read,readby) peer=firejail-default,
 ##########
 owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
 owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
-owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
-owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
-
 owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
 
 # Allow writing to removable media
@@ -58,9 +54,6 @@ owner /{,var/}run/media/** w,
 /{,var/}run/systemd/journal/socket w,
 /{,var/}run/systemd/journal/dev-log w,
 
-# Needed for wine
-/{,var/}run/firejail/profile/@{PID} w,
-
 # Allow access to cups printing socket.
 /{,var/}run/cups/cups.sock w,
 
@@ -94,11 +87,10 @@ deny /proc/@{PID}/oom_score_adj w,
 ##########
 # Blacklist specific sensitive paths.
 ##########
-# Common backup directory
-deny /**/.snapshots/ rwx,
-
-# fscrypt
-deny /**/.fscrypt/ rwx,
+deny /**/.fscrypt/ rw,
+deny /**/.fscrypt/** rwklmx,
+deny /**/.snapshots/ rw,
+deny /**/.snapshots/** rwklmx,
 
 ##########
 # Allow all networking functionality, and control it from Firejail.
-- 
cgit v1.2.3-54-g00ecf