From 7b76763298ccb9e3f9bb58cf1741e55e802f75b7 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Wed, 14 Feb 2018 16:01:22 +0000
Subject: Apparmor: don't duplicate userspace /run/user restrictions

Currently userspace firejail do blacklist approach to /run/user/ directory.  By default it blacklist /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening.

In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and appamror profile is global. It's even worse as firejail blacklist can be disabled with "writable-run-user" command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor.

The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do.
---
 etc/firejail-default | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

(limited to 'etc')

diff --git a/etc/firejail-default b/etc/firejail-default
index 859f8683a..f96149bb7 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -32,20 +32,12 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 /run/firejail/mnt/oroot/{,var/}run/ r,
 /run/firejail/mnt/oroot/{,var/}run/** r,
 
-owner /{,var/}run/user/**/dconf/ rw,
-owner /{,var/}run/user/**/dconf/user rw,
-owner /{,var/}run/user/**/pulse/ rw,
-owner /{,var/}run/user/**/pulse/** rw,
-owner /{,var/}run/user/**/*.slave-socket rwl,
-owner /{,var/}run/user/**/#@{PID} rw,
-owner /{,var/}run/user/**/orcexec.* rwkm,
-owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/** rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/**/*.slave-socket rwl,
-owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/**/orcexec.* rwkm,
+owner /{,var/}run/user/[0-9]*/** rw,
+owner /{,var/}run/user/[0-9]*/*.slave-socket rwl,
+owner /{,var/}run/user/[0-9]*/orcexec.* rwkm,
+owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw,
+owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl,
+owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm,
 
 /{,var/}run/firejail/mnt/fslogger r,
 /{,var/}run/firejail/appimage r,
-- 
cgit v1.2.3-54-g00ecf