From 3fbdc9f59a099b960a3a74ccd3c1c29078ecdef3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 21 Feb 2021 08:47:45 -0500 Subject: apparmor capabilities fix --- etc/apparmor/firejail-default | 45 ++++++++----------------------------------- 1 file changed, 8 insertions(+), 37 deletions(-) (limited to 'etc/apparmor') diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index 397bf753b..80d527e41 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default @@ -126,43 +126,14 @@ signal (receive), # We let Firejail deal with capabilities, but ensure that # some AppArmor related capabilities will not be available. ########## -capability checkpoint_restore, -capability perfmon, -capability bpf, -capability chown, -capability dac_override, -capability dac_read_search, -capability fowner, -capability fsetid, -capability kill, -capability setgid, -capability setuid, -capability setpcap, -capability linux_immutable, -capability net_bind_service, -capability net_broadcast, -capability net_admin, -capability net_raw, -capability ipc_lock, -capability ipc_owner, -capability sys_module, -capability sys_rawio, -capability sys_chroot, -capability sys_ptrace, -capability sys_pacct, -capability sys_admin, -capability sys_boot, -capability sys_nice, -capability sys_resource, -capability sys_time, -capability sys_tty_config, -capability mknod, -capability lease, -#capability audit_write, -#capability audit_control, -capability setfcap, -#capability mac_override, -#capability mac_admin, +# The list of recognized capabilities varies from one apparmor version to another. +# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available +# We allow all caps by default and remove the ones we don't like: +capability, +deny capability audit_write, +deny capability audit_control, +deny capability mac_override, +deny capability mac_admin, # Site-specific additions and overrides. See local/README for details. #include -- cgit v1.2.3-54-g00ecf