#########################################
# Generic Firejail AppArmor profile
#########################################

##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}

profile firejail-default flags=(attach_disconnected,mediate_deleted) {

##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,

##########
# With ptrace it is possible to inspect and hijack running programs. Usually this
# is needed only for debugging. To allow ptrace, uncomment the following line.
##########
#ptrace,

##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,

##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,

##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,

owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,

# Allow writing to removable media
owner /{,var/}run/media/** w,

# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,

# Needed for wine
/{,var/}run/firejail/profile/@{PID} w,

# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,

# Needed for firefox sandbox
/proc/[0-9]*/{uid_map,gid_map,setgroups} w,

# Silence noise
deny /proc/@{PID}/oom_adj w,
deny /proc/@{PID}/oom_score_adj w,

# Uncomment to silence all denied write warnings
#deny /proc/** w,

# Uncomment to silence all denied write warnings
#deny /sys/** w,

##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,

# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,

##########
# Blacklist specific sensitive paths.
##########
# Common backup directory
deny /**/.snapshots/ rwx,

##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark
network packet,

##########
# There is no equivalent in Firejail for filtering signals.
##########
signal,

##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
#capability audit_write,
#capability audit_control,
capability setfcap,
#capability mac_override,
#capability mac_admin,

##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,

# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-local>
}