From a052d9f2be1ae0c3d4c35677312c1058c02b6bee Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 27 Feb 2018 00:21:10 +0100
Subject: drop cap_mac_admin in apparmor profile

---
 etc/firejail-default | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'etc')

diff --git a/etc/firejail-default b/etc/firejail-default
index f9a876f5c..5d116fbbc 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -113,7 +113,7 @@ deny /proc/@{PID}/oom_score_adj w,
 /run/firejail/mnt/oroot/opt/** ix,
 
 ##########
-# Allow acces to cups printing socket.
+# Allow access to cups printing socket.
 ##########
 /run/cups/cups.sock w,
 
@@ -132,7 +132,8 @@ network raw,
 signal,
 
 ##########
-# We let Firejail deal with capabilities.
+# We let Firejail deal with capabilities,
+# but mac_admin should be dropped in any case.
 ##########
 capability chown,
 capability dac_override,
@@ -167,7 +168,7 @@ capability audit_write,
 capability audit_control,
 capability setfcap,
 capability mac_override,
-capability mac_admin,
+#capability mac_admin,
 
 ##########
 # We let Firejail deal with mount/umount functionality.
-- 
cgit v1.2.3-54-g00ecf