From 4796ca7b9a0cd75e5d42c48f1e3de1983d4de4f6 Mon Sep 17 00:00:00 2001 From: Vincent43 <31109921+Vincent43@users.noreply.github.com> Date: Mon, 19 Feb 2018 16:14:15 +0000 Subject: Apparmor: Allow log Firejail blacklist violations --- etc/firejail-default | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'etc') diff --git a/etc/firejail-default b/etc/firejail-default index 2f959d92a..f9a876f5c 100644 --- a/etc/firejail-default +++ b/etc/firejail-default @@ -20,6 +20,12 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { ##include #dbus, +########## +# Allows to attach to a running program and modify the process memory. +# May be needed by chromium crash handler. Uncomment if you need it. +########## +#ptrace (trace tracedby), + ########## # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes ########## @@ -53,6 +59,10 @@ owner /{run,dev}/shm/** rmwk, /run/firejail/mnt/oroot/{run,dev}/shm/ r, owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, +# Allow logging Firejail blacklist violations to journal +/{,var/}run/systemd/journal/socket w, +/{,var/}run/systemd/journal/dev-log w, + # Needed for wine /{,var/}run/firejail/profile/@{PID} w, @@ -72,10 +82,6 @@ deny /proc/@{PID}/oom_score_adj w, # Uncomment to silence all denied write warnings #deny /sys/** w, -# Allows to attach to a running program and modify the process memory. -# May be needed by chromium crash handler. Uncomment if you need it. -#ptrace (trace tracedby), - ########## # Allow running programs only from well-known system directories. If you need # to run programs from your home directory, uncomment /home line. @@ -107,7 +113,7 @@ deny /proc/@{PID}/oom_score_adj w, /run/firejail/mnt/oroot/opt/** ix, ########## -# Allow acces to cups printing socket +# Allow acces to cups printing socket. ########## /run/cups/cups.sock w, -- cgit v1.2.3-54-g00ecf