From 92679041124ae39ff6ed03c4bd96e7ef5f4cc487 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 21 Oct 2021 00:17:51 +0200
Subject: add basic Firejail support to AppArmor base abstraction (#3226)

---
 etc/apparmor/firejail-base | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 etc/apparmor/firejail-base

(limited to 'etc')

diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
new file mode 100644
index 000000000..41e4ac2bf
--- /dev/null
+++ b/etc/apparmor/firejail-base
@@ -0,0 +1,26 @@
+#########################################
+# Firejail base abstraction drop-in
+#########################################
+
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+
+# Discovery of process names
+owner /{,run/firejail/mnt/oroot/}proc/@{pid}/comm r,
+
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+
+# Library preloading
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/lib/*.so mr,
+
+# Supporting seccomp
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+
+# Supporting trace
+owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
+
+# Supporting tracelog
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/fslogger r,
-- 
cgit v1.2.3-54-g00ecf