update apparmor profiles

parent a6bb4195
......@@ -66,8 +66,8 @@ profile adequate @{exec_path} flags=(complain) {
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr,
/{usr/,}lib/@{multiarch}/ld-2.29.so rix,
/{usr/,}lib{,x}32/ld-2.29.so rix,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
}
......
......@@ -58,6 +58,10 @@ profile birdtray @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Check for updates
/etc/ssl/ r,
/etc/ssl/certs/ r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -81,8 +81,9 @@ profile dpkg @{exec_path} flags=(complain) {
/var/local/** rwl -> /var/local/**,
/var/spool/ r,
/var/spool/** rwl -> /var/spool/**,
# To create log dirs
/var/log/*/ rw,
# To create log and cache dirs
/var/log/*/ rw,
/var/cache/**/ rw,
# file_inherit
/dev/tty[0-9]* rw,
......
......@@ -53,13 +53,13 @@ profile dropbox @{exec_path} {
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/*.so* mrw,
owner @{DROPBOX_DEMON_DIR}/dropbox-lnx.*/plugins/platforms/*.so mrw,
/{usr/,}bin/dash rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/@{multiarch}-gcc-7 rix,
/{usr/,}bin/@{multiarch}-objdump rix,
/{usr/,}bin/{,@{multiarch}-}gcc-7 rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
# Needed for updating Dropbox
owner /tmp/.dropbox-dist-new-*/{,**} rw,
......
......@@ -21,6 +21,7 @@ profile engrampa @{exec_path} {
#include <abstractions/nameservice-strict>
#include <abstractions/user-download-strict>
#include <abstractions/thumbnails-cache-write>
#include <abstractions/dconf-deny>
@{exec_path} mr,
......
......@@ -22,12 +22,11 @@ dbus,
##########
# With ptrace it is possible to inspect and hijack running programs.
# Some browsers are also using ptrace for their sandboxing.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=firejail-default,
ptrace (read,readby) peer=@{profile_name},
##########
# Allow read access to whole filesystem and control it from firejail.
......@@ -44,10 +43,8 @@ ptrace (read,readby) peer=firejail-default,
##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
# Allow writing to removable media
......@@ -57,22 +54,22 @@ owner /{,var/}run/media/** w,
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,
# Needed for wine
/{,var/}run/firejail/profile/@{PID} w,
# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,
# Allow access to pcscd socket (smartcards)
/{,var/}run/pcscd/pcscd.comm w,
# Needed for firefox sandbox
/proc/[0-9]*/{uid_map,gid_map,setgroups} w,
/proc/@{PID}/{uid_map,gid_map,setgroups} w,
# Needed for electron apps
/proc/@{PID}/comm w,
# Silence noise
deny /proc/@{PID}/oom_adj w,
deny /proc/@{PID}/oom_score_adj w,
# Uncomment to silence all denied write warnings
#deny /proc/** w,
# Uncomment to silence all denied write warnings
#deny /sys/** w,
......@@ -93,8 +90,10 @@ deny /proc/@{PID}/oom_score_adj w,
##########
# Blacklist specific sensitive paths.
##########
# Common backup directory
deny /**/.snapshots/ rwx,
deny /**/.fscrypt/ rw,
deny /**/.fscrypt/** rwklmx,
deny /**/.snapshots/ rw,
deny /**/.snapshots/** rwklmx,
##########
# Allow all networking functionality, and control it from Firejail.
......@@ -110,7 +109,8 @@ network packet,
##########
# There is no equivalent in Firejail for filtering signals.
##########
signal,
signal (send) [email protected]{profile_name},
signal (receive),
##########
# We let Firejail deal with capabilities, but ensure that
......@@ -151,14 +151,6 @@ capability setfcap,
#capability mac_override,
#capability mac_admin,
##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,
# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-default>
}
......@@ -45,7 +45,7 @@ profile hardinfo @{exec_path} {
/{usr/,}bin/iconv rix,
/{usr/,}sbin/route rix,
/{usr/,}bin/valgrind{,.bin} rix,
/{usr/,}lib/@{multiarch}/valgrind/memcheck-amd64-linux rix,
/{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
......@@ -109,7 +109,7 @@ profile hardinfo @{exec_path} {
/{usr/,}bin/ccache mr,
/{usr/,}bin/@{multiarch}-gcc-9 rix,
/{usr/,}bin/{,@{multiarch}-}gcc-9 rix,
/media/ccache/*/** rw,
......
......@@ -25,7 +25,7 @@ profile inxi @{exec_path} {
/{usr/,}bin/zsh rix,
/{usr/,}bin/tty rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/@{multiarch}-gcc-9 rix,
/{usr/,}bin/{,@{multiarch}-}gcc-9 rix,
/{usr/,}bin/getconf rix,
/{usr/,}bin/ip rCx -> ip,
......
......@@ -10,3 +10,5 @@
# ------------------------------------------------------------------
#include <abstractions/file-browsing-strict>
/var/cache/apt/archives/*.deb r,
......@@ -83,8 +83,8 @@ profile mkinitramfs @{exec_path} {
/{usr/,}bin/kmod mr,
/{usr/,}bin/bash r,
/{usr/,}lib/@{multiarch}/ld-2.29.so rix,
/{usr/,}lib32/ld-2.29.so rix,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/{usr/,}lib{,x}32/ld-*.so rix,
}
......
......@@ -44,6 +44,7 @@ profile reportbug @{exec_path} flags=(complain) {
/{usr/,}bin/dlocate rPx,
/{usr/,}bin/apt-cache rPx,
/{usr/,}bin/dpkg-query rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg,
......
......@@ -46,9 +46,9 @@ profile spectre-meltdown-checker @{exec_path} {
/{usr/,}bin/basename rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/base64 rix,
/{usr/,}bin/@{multiarch}-gnu-readelf rix,
/{usr/,}bin/@{multiarch}-gnu-strings rix,
/{usr/,}bin/@{multiarch}-gnu-objdump rix,
/{usr/,}bin/{,@{multiarch}-}readelf rix,
/{usr/,}bin/{,@{multiarch}-}strings rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/ccache rCx -> ccache,
......@@ -84,7 +84,7 @@ profile spectre-meltdown-checker @{exec_path} {
/{usr/,}bin/ccache mr,
/{usr/,}bin/@{multiarch}-gcc-9 rix,
/{usr/,}bin/{,@{multiarch}-}gcc-9 rix,
/media/ccache/*/** rw,
......
......@@ -66,6 +66,7 @@ profile man_groff {
/usr/bin/vgrind rm,
/etc/groff/** r,
/etc/papersize r,
/usr/lib/groff/site-tmac/** r,
/usr/share/groff/** r,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment