1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
#########################################
# Generic Firejail AppArmor profile
#########################################
# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
# and <abstractions/dbus-session-strict>.
#include <tunables/global>
##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
profile firejail-default flags=(attach_disconnected,mediate_deleted) {
##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
# Add rule in order to avoid dbus-*=filter breakage (#3432)
owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
##########
# With ptrace it is possible to inspect and hijack running programs.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=@{profile_name},
##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,
##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
# Allow writing to /var/mail and /var/spool/mail (for mail clients)
# Uncomment to enable
#owner /var/{mail,spool/mail}/** w,
# Allow writing to removable media
owner /{,var/}run/media/** w,
# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,
# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,
# Allow access to pcscd socket (smartcards)
/{,var/}run/pcscd/pcscd.comm w,
# Needed for browser self-sandboxing
owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
# Needed for electron apps
/proc/@{PID}/comm w,
# Needed for nslookup, dig, host
/proc/@{PID}/task/@{PID}/comm w,
# Used by chromium
owner /proc/@{PID}/oom_score_adj w,
owner /proc/@{PID}/clear_refs w,
##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,
# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
##########
# Blacklist specific sensitive paths.
##########
deny /**/.fscrypt/ rw,
deny /**/.fscrypt/** rwklmx,
deny /**/.snapshots/ rw,
deny /**/.snapshots/** rwklmx,
##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark, tcpdump etc
network bluetooth,
network packet,
##########
# There is no equivalent in Firejail for filtering signals.
##########
signal (send) peer=@{profile_name},
signal (receive),
##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
# The list of recognized capabilities varies from one apparmor version to another.
# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
# We allow all caps by default and remove the ones we don't like:
capability,
deny capability audit_write,
deny capability audit_control,
deny capability mac_override,
deny capability mac_admin,
# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-default>
}
|
