diff --git a/apparmor.d/profiles-a-l/firejail-default b/apparmor.d/profiles-a-l/firejail-default deleted file mode 100644 index ec87f1d2..00000000 --- a/apparmor.d/profiles-a-l/firejail-default +++ /dev/null @@ -1,166 +0,0 @@ -######################################### -# Generic Firejail AppArmor profile -######################################### - -# AppArmor 3.0 uses the @{run} variable in -# and . -#include - -########## -# A simple PID declaration based on Ubuntu's @{pid} -# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. -# We don't know if this definition is available outside Debian and Ubuntu, so -# we declare our own here. -########## -@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} - -profile firejail-default flags=(attach_disconnected,mediate_deleted) { - -########## -# Allow D-Bus access. It may negatively affect security. Comment those lines or -# use 'nodbus' option in profile if you don't need D-Bus functionality. -########## -#include -#include -dbus, -# Add rule in order to avoid dbus-*=filter breakage (#3432) -owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, - -########## -# With ptrace it is possible to inspect and hijack running programs. -########## -# Uncomment this line to allow all ptrace access -#ptrace, -# Allow obtaining some process information, but not ptrace(2) -ptrace (read,readby) peer=@{profile_name}, - -########## -# Allow read access to whole filesystem and control it from firejail. -########## -/{,**} rklm, - -########## -# Allow write access to paths writable in firejail which aren't used for -# executing programs. /run, /proc and /sys are handled separately. -# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes. -########## -/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w, - -########## -# Whitelist writable paths under /run, /proc and /sys. -########## -owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, -owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, -owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, - -# Allow writing to /var/mail and /var/spool/mail (for mail clients) -# Uncomment to enable -#owner /var/{mail,spool/mail}/** w, - -# Allow writing to removable media -owner /{,var/}run/media/** w, - -# Allow logging Firejail blacklist violations to journal -/{,var/}run/systemd/journal/socket w, -/{,var/}run/systemd/journal/dev-log w, - -# Allow access to cups printing socket. -/{,var/}run/cups/cups.sock w, - -# Allow access to pcscd socket (smartcards) -/{,var/}run/pcscd/pcscd.comm w, - -# Needed for browser self-sandboxing -owner /proc/@{PID}/{uid_map,gid_map,setgroups} w, - -# Needed for electron apps -/proc/@{PID}/comm w, -# Needed for nslookup, dig, host -/proc/@{PID}/task/@{PID}/comm w, - -# Used by chromium -owner /proc/@{PID}/oom_score_adj w, -owner /proc/@{PID}/clear_refs w, - -########## -# Allow running programs only from well-known system directories. If you need -# to run programs from your home directory, uncomment /home line. -########## -/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, -/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, -/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, -/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix, -/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, -#/{,run/firejail/mnt/oroot/}home/** ix, - -# Appimage support -/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix, - -########## -# Blacklist specific sensitive paths. -########## -deny /**/.fscrypt/ rw, -deny /**/.fscrypt/** rwklmx, -deny /**/.snapshots/ rw, -deny /**/.snapshots/** rwklmx, - -########## -# Allow all networking functionality, and control it from Firejail. -########## -network inet, -network inet6, -network unix, -network netlink, -network raw, -# needed for wireshark, tcpdump etc -network bluetooth, -network packet, - -########## -# There is no equivalent in Firejail for filtering signals. -########## -signal (send) peer=@{profile_name}, -signal (receive), - -########## -# We let Firejail deal with capabilities, but ensure that -# some AppArmor related capabilities will not be available. -########## -capability chown, -capability dac_override, -capability dac_read_search, -capability fowner, -capability fsetid, -capability kill, -capability setgid, -capability setuid, -capability setpcap, -capability linux_immutable, -capability net_bind_service, -capability net_broadcast, -capability net_admin, -capability net_raw, -capability ipc_lock, -capability ipc_owner, -capability sys_module, -capability sys_rawio, -capability sys_chroot, -capability sys_ptrace, -capability sys_pacct, -capability sys_admin, -capability sys_boot, -capability sys_nice, -capability sys_resource, -capability sys_time, -capability sys_tty_config, -capability mknod, -capability lease, -#capability audit_write, -#capability audit_control, -capability setfcap, -#capability mac_override, -#capability mac_admin, - -# Site-specific additions and overrides. See local/README for details. -#include -}