1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
#########################################
# Generic Firejail AppArmor profile
#########################################
##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
profile firejail-default flags=(attach_disconnected,mediate_deleted) {
##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
##########
# With ptrace it is possible to inspect and hijack running programs. Usually this
# is needed only for debugging. To allow ptrace, uncomment the following line.
##########
#ptrace,
##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,
##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
# Allow writing to removable media
owner /{,var/}run/media/** w,
# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,
# Needed for wine
/{,var/}run/firejail/profile/@{PID} w,
# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,
# Needed for firefox sandbox
/proc/[0-9]*/{uid_map,gid_map,setgroups} w,
# Silence noise
deny /proc/@{PID}/oom_adj w,
deny /proc/@{PID}/oom_score_adj w,
# Uncomment to silence all denied write warnings
#deny /proc/** w,
# Uncomment to silence all denied write warnings
#deny /sys/** w,
##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,
# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
##########
# Blacklist specific sensitive paths.
##########
# Common backup directory
deny /**/.snapshots/ rwx,
##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark
network packet,
##########
# There is no equivalent in Firejail for filtering signals.
##########
signal,
##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
#capability audit_write,
#capability audit_control,
capability setfcap,
#capability mac_override,
#capability mac_admin,
##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,
# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-local>
}
|
