mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-12 07:17:13 +01:00
166 lines
4.8 KiB
Text
166 lines
4.8 KiB
Text
#########################################
|
|
# Generic Firejail AppArmor profile
|
|
#########################################
|
|
|
|
# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
|
|
# and <abstractions/dbus-session-strict>.
|
|
#include <tunables/global>
|
|
|
|
##########
|
|
# A simple PID declaration based on Ubuntu's @{pid}
|
|
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
|
|
# We don't know if this definition is available outside Debian and Ubuntu, so
|
|
# we declare our own here.
|
|
##########
|
|
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
|
|
|
|
profile firejail-default flags=(attach_disconnected,mediate_deleted) {
|
|
|
|
##########
|
|
# Allow D-Bus access. It may negatively affect security. Comment those lines or
|
|
# use 'nodbus' option in profile if you don't need D-Bus functionality.
|
|
##########
|
|
#include <abstractions/dbus-strict>
|
|
#include <abstractions/dbus-session-strict>
|
|
dbus,
|
|
# Add rule in order to avoid dbus-*=filter breakage (#3432)
|
|
owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
|
|
|
|
##########
|
|
# With ptrace it is possible to inspect and hijack running programs.
|
|
##########
|
|
# Uncomment this line to allow all ptrace access
|
|
#ptrace,
|
|
# Allow obtaining some process information, but not ptrace(2)
|
|
ptrace (read,readby) peer=@{profile_name},
|
|
|
|
##########
|
|
# Allow read access to whole filesystem and control it from firejail.
|
|
##########
|
|
/{,**} rklm,
|
|
|
|
##########
|
|
# Allow write access to paths writable in firejail which aren't used for
|
|
# executing programs. /run, /proc and /sys are handled separately.
|
|
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
|
|
##########
|
|
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
|
|
|
|
##########
|
|
# Whitelist writable paths under /run, /proc and /sys.
|
|
##########
|
|
owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
|
|
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
|
|
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
|
|
|
|
# Allow writing to /var/mail and /var/spool/mail (for mail clients)
|
|
# Uncomment to enable
|
|
#owner /var/{mail,spool/mail}/** w,
|
|
|
|
# Allow writing to removable media
|
|
owner /{,var/}run/media/** w,
|
|
|
|
# Allow logging Firejail blacklist violations to journal
|
|
/{,var/}run/systemd/journal/socket w,
|
|
/{,var/}run/systemd/journal/dev-log w,
|
|
|
|
# Allow access to cups printing socket.
|
|
/{,var/}run/cups/cups.sock w,
|
|
|
|
# Allow access to pcscd socket (smartcards)
|
|
/{,var/}run/pcscd/pcscd.comm w,
|
|
|
|
# Needed for browser self-sandboxing
|
|
owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
|
|
|
|
# Needed for electron apps
|
|
/proc/@{PID}/comm w,
|
|
# Needed for nslookup, dig, host
|
|
/proc/@{PID}/task/@{PID}/comm w,
|
|
|
|
# Used by chromium
|
|
owner /proc/@{PID}/oom_score_adj w,
|
|
owner /proc/@{PID}/clear_refs w,
|
|
|
|
##########
|
|
# Allow running programs only from well-known system directories. If you need
|
|
# to run programs from your home directory, uncomment /home line.
|
|
##########
|
|
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
|
|
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
|
|
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
|
|
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
|
|
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
|
|
#/{,run/firejail/mnt/oroot/}home/** ix,
|
|
|
|
# Appimage support
|
|
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
|
|
|
|
##########
|
|
# Blacklist specific sensitive paths.
|
|
##########
|
|
deny /**/.fscrypt/ rw,
|
|
deny /**/.fscrypt/** rwklmx,
|
|
deny /**/.snapshots/ rw,
|
|
deny /**/.snapshots/** rwklmx,
|
|
|
|
##########
|
|
# Allow all networking functionality, and control it from Firejail.
|
|
##########
|
|
network inet,
|
|
network inet6,
|
|
network unix,
|
|
network netlink,
|
|
network raw,
|
|
# needed for wireshark, tcpdump etc
|
|
network bluetooth,
|
|
network packet,
|
|
|
|
##########
|
|
# There is no equivalent in Firejail for filtering signals.
|
|
##########
|
|
signal (send) peer=@{profile_name},
|
|
signal (receive),
|
|
|
|
##########
|
|
# We let Firejail deal with capabilities, but ensure that
|
|
# some AppArmor related capabilities will not be available.
|
|
##########
|
|
capability chown,
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability fowner,
|
|
capability fsetid,
|
|
capability kill,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability setpcap,
|
|
capability linux_immutable,
|
|
capability net_bind_service,
|
|
capability net_broadcast,
|
|
capability net_admin,
|
|
capability net_raw,
|
|
capability ipc_lock,
|
|
capability ipc_owner,
|
|
capability sys_module,
|
|
capability sys_rawio,
|
|
capability sys_chroot,
|
|
capability sys_ptrace,
|
|
capability sys_pacct,
|
|
capability sys_admin,
|
|
capability sys_boot,
|
|
capability sys_nice,
|
|
capability sys_resource,
|
|
capability sys_time,
|
|
capability sys_tty_config,
|
|
capability mknod,
|
|
capability lease,
|
|
#capability audit_write,
|
|
#capability audit_control,
|
|
capability setfcap,
|
|
#capability mac_override,
|
|
#capability mac_admin,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/firejail-default>
|
|
}
|