######################################### # Generic Firejail AppArmor profile ######################################### ########## # A simple PID declaration based on Ubuntu's @{pid} # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. # We don't know if this definition is available outside Debian and Ubuntu, so # we declare our own here. ########## @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} profile firejail-default flags=(attach_disconnected,mediate_deleted) { ########## # D-Bus is a huge security hole. Uncomment those lines if you need D-Bus # functionality. ########## ##include ##include #dbus, ########## # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes ########## / r, /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, /run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, /{,var/}run/ r, /{,var/}run/** r, /run/firejail/mnt/oroot/{,var/}run/ r, /run/firejail/mnt/oroot/{,var/}run/** r, owner /{,var/}run/user/**/dconf/ rw, owner /{,var/}run/user/**/dconf/user rw, owner /{,var/}run/user/**/pulse/ rw, owner /{,var/}run/user/**/pulse/** rw, owner /{,var/}run/user/**/*.slave-socket rwl, owner /{,var/}run/user/**/#@{PID} rw, owner /{,var/}run/user/**/orcexec.* rwkm, owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw, owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw, owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw, owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/** rw, owner /run/firejail/mnt/oroot/{,var/}run/user/**/*.slave-socket rwl, owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw, owner /run/firejail/mnt/oroot/{,var/}run/user/**/orcexec.* rwkm, /{,var/}run/firejail/mnt/fslogger r, /{,var/}run/firejail/appimage r, /{,var/}run/firejail/appimage/** r, /{,var/}run/firejail/appimage/** ix, /run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r, /run/firejail/mnt/oroot/{,var/}run/firejail/appimage r, /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r, /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix, /{run,dev}/shm/ r, owner /{run,dev}/shm/** rmwk, /run/firejail/mnt/oroot/{run,dev}/shm/ r, owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, # Needed for wine /{,var/}run/firejail/profile/@{PID} w, ########## # Mask /proc and /sys information leakage. The configuration here is barely # enough to run "top" or "ps aux". ########## /proc/ r, /proc/meminfo r, /proc/cpuinfo r, /proc/filesystems r, /proc/uptime r, /proc/loadavg r, /proc/stat r, /proc/sys/kernel/pid_max r, /proc/sys/kernel/shmmax r, /proc/sys/kernel/yama/ptrace_scope r, /proc/sys/vm/overcommit_memory r, /proc/sys/vm/overcommit_ratio r, /proc/sys/kernel/random/uuid r, /sys/ r, /sys/bus/ r, /sys/bus/** r, /sys/class/ r, /sys/class/** r, /sys/devices/ r, /sys/devices/** r, /proc/@{PID}/ r, /proc/@{PID}/fd/ r, /proc/@{PID}/task/ r, /proc/@{PID}/cmdline r, /proc/@{PID}/comm r, /proc/@{PID}/stat r, /proc/@{PID}/statm r, /proc/@{PID}/status r, /proc/@{PID}/task/@{PID}/stat r, /proc/@{PID}/task/@{PID}/status r, /proc/@{PID}/maps r, /proc/@{PID}/mem r, /proc/@{PID}/mounts r, /proc/@{PID}/mountinfo r, owner /proc/@{PID}/oom_adj w, /proc/@{PID}/oom_score_adj r, owner /proc/@{PID}/oom_score_adj w, /proc/@{PID}/auxv r, /proc/@{PID}/net/dev r, /proc/@{PID}/loginuid r, /proc/@{PID}/environ r, # Needed for chromium ptrace (trace tracedby), ########## # Allow running programs only from well-known system directories. If you need # to run programs from your home directory, uncomment /home line. ########## /lib/** ix, /lib64/** ix, /bin/** ix, /sbin/** ix, /usr/bin/** ix, /usr/sbin/** ix, /usr/local/** ix, /usr/lib/** ix, /usr/games/** ix, /opt/ r, /opt/** r, /opt/** ix, #/home/** ix, /run/firejail/mnt/oroot/lib/** ix, /run/firejail/mnt/oroot/lib64/** ix, /run/firejail/mnt/oroot/bin/** ix, /run/firejail/mnt/oroot/sbin/** ix, /run/firejail/mnt/oroot/usr/bin/** ix, /run/firejail/mnt/oroot/usr/sbin/** ix, /run/firejail/mnt/oroot/usr/local/** ix, /run/firejail/mnt/oroot/usr/lib/** ix, /run/firejail/mnt/oroot/usr/games/** ix, /run/firejail/mnt/oroot/opt/ r, /run/firejail/mnt/oroot/opt/** r, /run/firejail/mnt/oroot/opt/** ix, ########## # Allow acces to cups printing socket ########## /run/cups/cups.sock w, ########## # Allow all networking functionality, and control it from Firejail. ########## network inet, network inet6, network unix, network netlink, network raw, ########## # There is no equivalent in Firejail for filtering signals. ########## signal, ########## # We let Firejail deal with capabilities. ########## capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability kill, capability setgid, capability setuid, capability setpcap, capability linux_immutable, capability net_bind_service, capability net_broadcast, capability net_admin, capability net_raw, capability ipc_lock, capability ipc_owner, capability sys_module, capability sys_rawio, capability sys_chroot, capability sys_ptrace, capability sys_pacct, capability sys_admin, capability sys_boot, capability sys_nice, capability sys_resource, capability sys_time, capability sys_tty_config, capability mknod, capability lease, capability audit_write, capability audit_control, capability setfcap, capability mac_override, capability mac_admin, ########## # We let Firejail deal with mount/umount functionality. ########## mount, remount, umount, pivot_root, # Site-specific additions and overrides. See local/README for details. #include }