From d2a18552e2141126c85ce2011c524c182043bddb Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Sun, 21 Jan 2018 16:50:21 +0000
Subject: Apparmor: restrict access

Access to writable files can be restricted to their owner only.
---
 etc/firejail-default | 50 +++++++++++++++++++++++++-------------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

(limited to 'etc/firejail-default')

diff --git a/etc/firejail-default b/etc/firejail-default
index eb50d6c65..4d79f9b29 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -26,19 +26,19 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
 /{,var/}run/ r,
 /{,var/}run/** r,
-/{,var/}run/user/**/dconf/ rw,
-/{,var/}run/user/**/dconf/user rw,
-/{,var/}run/user/**/pulse/ rw,
-/{,var/}run/user/**/pulse/** rw,
-/{,var/}run/user/**/*.slave-socket rwl,
-/{,var/}run/user/**/#@{PID} rw,
-/{,var/}run/user/**/orcexec.* rwkm,
+owner /{,var/}run/user/**/dconf/ rw,
+owner /{,var/}run/user/**/dconf/user rw,
+owner /{,var/}run/user/**/pulse/ rw,
+owner /{,var/}run/user/**/pulse/** rw,
+owner /{,var/}run/user/**/*.slave-socket rwl,
+owner /{,var/}run/user/**/#@{PID} rw,
+owner /{,var/}run/user/**/orcexec.* rwkm,
 /{,var/}run/firejail/mnt/fslogger r,
 /{,var/}run/firejail/appimage r,
 /{,var/}run/firejail/appimage/** r,
 /{,var/}run/firejail/appimage/** ix,
 /{run,dev}/shm/ r,
-/{run,dev}/shm/** rmwk,
+owner /{run,dev}/shm/** rmwk,
 
 /proc/ r,
 /proc/meminfo r,
@@ -61,23 +61,23 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 /sys/devices/ r,
 /sys/devices/** r,
 
-/proc/@{PID}/ r,
-/proc/@{PID}/fd/ r,
-/proc/@{PID}/task/ r,
-/proc/@{PID}/cmdline r,
-/proc/@{PID}/comm r,
-/proc/@{PID}/stat r,
-/proc/@{PID}/statm r,
-/proc/@{PID}/status r,
-/proc/@{PID}/task/@{PID}/stat r,
-/proc/@{PID}/maps r,
-/proc/@{PID}/mounts r,
-/proc/@{PID}/mountinfo r,
-/proc/@{PID}/oom_score_adj r,
-/proc/@{PID}/auxv r,
-/proc/@{PID}/net/dev r,
-/proc/@{PID}/loginuid r,
-/proc/@{PID}/environ r,
+owner /proc/@{PID}/ r,
+owner /proc/@{PID}/fd/ r,
+owner /proc/@{PID}/task/ r,
+owner /proc/@{PID}/cmdline r,
+owner /proc/@{PID}/comm r,
+owner /proc/@{PID}/stat r,
+owner /proc/@{PID}/statm r,
+owner /proc/@{PID}/status r,
+owner /proc/@{PID}/task/@{PID}/stat r,
+owner /proc/@{PID}/maps r,
+owner /proc/@{PID}/mounts r,
+owner /proc/@{PID}/mountinfo r,
+owner /proc/@{PID}/oom_score_adj r,
+owner /proc/@{PID}/auxv r,
+owner /proc/@{PID}/net/dev r,
+owner /proc/@{PID}/loginuid r,
+owner /proc/@{PID}/environ r,
 
 ##########
 # Allow running programs only from well-known system directories. If you need
-- 
cgit v1.2.3-54-g00ecf