#########################################
# Generic Firejail AppArmor profile
#########################################

# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
# and <abstractions/dbus-session-strict>.
#include <tunables/global>

##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}

profile firejail-default flags=(attach_disconnected,mediate_deleted) {

##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
# Add rule in order to avoid dbus-*=filter breakage (#3432)
owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,

##########
# With ptrace it is possible to inspect and hijack running programs.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=@{profile_name},

##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,

##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,

##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,

# Allow writing to /var/mail and /var/spool/mail (for mail clients)
# Uncomment to enable
#owner /var/{mail,spool/mail}/** w,

# Allow writing to removable media
owner /{,var/}run/media/** w,

# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,

# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,

# Allow access to pcscd socket (smartcards)
/{,var/}run/pcscd/pcscd.comm w,

# Needed for browser self-sandboxing
owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,

# Needed for electron apps
/proc/@{PID}/comm w,
# Needed for nslookup, dig, host
/proc/@{PID}/task/@{PID}/comm w,

# Used by chromium
owner /proc/@{PID}/oom_score_adj w,
owner /proc/@{PID}/clear_refs w,

##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
# or similar to /etc/apparmor.d/local/firejail-default (without the quotes).
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,

# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,

##########
# Blacklist specific sensitive paths.
##########
deny /**/.fscrypt/ rw,
deny /**/.fscrypt/** rwklmx,
deny /**/.snapshots/ rw,
deny /**/.snapshots/** rwklmx,

##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark, tcpdump etc
network bluetooth,
network packet,

##########
# There is no equivalent in Firejail for filtering signals.
##########
signal (send) peer=@{profile_name},
signal (receive),

##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
# The list of recognized capabilities varies from one apparmor version to another.
# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
# We allow all caps by default and remove the  ones we don't like:
capability,
deny capability audit_write,
deny capability audit_control,
deny capability mac_override,
deny capability mac_admin,

# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-default>
}