From 873a97a9b3442976a618333c1063da13d2a38025 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Sat, 15 Feb 2020 12:08:25 +0000
Subject: apparmor: minor enhancements

Allow writing some proc paths used by browsers but restrict it to their owner.
---
 etc/firejail-default | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

(limited to 'etc/firejail-default')

diff --git a/etc/firejail-default b/etc/firejail-default
index 2987e538c..1381056b1 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -60,18 +60,15 @@ owner /{,var/}run/media/** w,
 # Allow access to pcscd socket (smartcards)
 /{,var/}run/pcscd/pcscd.comm w,
 
-# Needed for firefox sandbox
-/proc/@{PID}/{uid_map,gid_map,setgroups} w,
+# Needed for browser self-sandboxing
+owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
 
 # Needed for electron apps
 /proc/@{PID}/comm w,
 
-# Silence noise
-deny /proc/@{PID}/oom_adj w,
-deny /proc/@{PID}/oom_score_adj w,
-
-# Uncomment to silence all denied write warnings
-#deny /sys/** w,
+# Used by chromium
+owner /proc/@{PID}/oom_score_adj w,
+owner /proc/@{PID}/clear_refs w,
 
 ##########
 # Allow running programs only from well-known system directories. If you need
-- 
cgit v1.2.3-70-g09d2