From 54c098270f6e726aa23b1606ffdaac2daca60b99 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Sun, 27 Jan 2019 16:18:41 +0100
Subject: Allow processes confined with AppArmor to obtain some process
 information

'firejail --apparmor chromium' logged a huge amount of apparmor denials,
because it wants to use read/readby permissions.
Allow those accesses, but keep full tracing disabled by default.

See also: https://bugs.debian.org/912587 and apparmor.d(5)
---
 etc/firejail-default | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'etc/firejail-default')

diff --git a/etc/firejail-default b/etc/firejail-default
index 88bf9aa44..02a241c34 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -21,10 +21,13 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 dbus,
 
 ##########
-# With ptrace it is possible to inspect and hijack running programs. Usually this
-# is needed only for debugging. To allow ptrace, uncomment the following line.
+# With ptrace it is possible to inspect and hijack running programs.
+# Some browsers are also using ptrace for their sandboxing.
 ##########
+# Uncomment this line to allow all ptrace access
 #ptrace,
+# Allow obtaining some process information, but not ptrace(2)
+ptrace (read,readby) peer=firejail-default,
 
 ##########
 # Allow read access to whole filesystem and control it from firejail.
-- 
cgit v1.2.3-54-g00ecf