From c1af59c9f31816127b43d10109c005661dd96c32 Mon Sep 17 00:00:00 2001
From: Vincent43 <31109921+Vincent43@users.noreply.github.com>
Date: Sun, 24 Nov 2019 23:05:00 +0100
Subject: apparmor: don't allow mounts and paths manipulation

AppArmor security relies on path based rules and rewriting paths
may allow to bypass them.

Those actions are priveliged so vast majority of apps shouldn't need
them anyway. If some app need those rules then it's better to
consider them as unsuitable for apparmor option rather than weaken
generic profile for all apps.

See related issue reported by apparmor usage in snap:
https://bugs.launchpad.net/snapd/+bug/1791711
---
 etc/firejail-default | 8 --------
 1 file changed, 8 deletions(-)

(limited to 'etc')

diff --git a/etc/firejail-default b/etc/firejail-default
index 66be8ba9c..3321b72fb 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -151,14 +151,6 @@ capability setfcap,
 #capability mac_override,
 #capability mac_admin,
 
-##########
-# We let Firejail deal with mount/umount functionality.
-##########
-mount,
-remount,
-umount,
-pivot_root,
-
 # Site-specific additions and overrides. See local/README for details.
 #include <local/firejail-local>
 }
-- 
cgit v1.2.3-54-g00ecf