/etc/apparmor.d/firejail-default is in firejail 0.9.44.8-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 | #########################################
# Generic Firejail AppArmor profile
#########################################
##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
profile firejail-default {
##########
# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
# functionality.
##########
#dbus,
##########
# Mask /proc and /sys information leakage. The configuration here is barely
# enough to run "top" or "ps aux".
##########
/ r,
/[^proc,^sys]** mrwlk,
/{,var/}run/ r,
/{,var/}run/** r,
/{,var/}run/user/**/dconf/ rw,
/{,var/}run/user/**/dconf/user rw,
/{,var/}run/user/**/pulse/ rw,
/{,var/}run/user/**/pulse/** rw,
/{,var/}run/firejail/mnt/fslogger r,
/{,var/}run/firejail/appimage r,
/{,var/}run/firejail/appimage/** r,
/{,var/}run/firejail/appimage/** ix,
/{run,dev}/shm/ r,
/{run,dev}/shm/** rmwk,
/proc/ r,
/proc/meminfo r,
/proc/cpuinfo r,
/proc/filesystems r,
/proc/uptime r,
/proc/loadavg r,
/proc/stat r,
/proc/@{PID}/ r,
/proc/@{PID}/fd/ r,
/proc/@{PID}/task/ r,
/proc/@{PID}/cmdline r,
/proc/@{PID}/comm r,
/proc/@{PID}/stat r,
/proc/@{PID}/statm r,
/proc/@{PID}/status r,
/proc/@{PID}/task/@{PID}/stat r,
/proc/sys/kernel/pid_max r,
/proc/sys/kernel/shmmax r,
/proc/sys/vm/overcommit_memory r,
/proc/sys/vm/overcommit_ratio r,
/sys/ r,
/sys/bus/ r,
/sys/bus/** r,
/sys/class/ r,
/sys/class/** r,
/sys/devices/ r,
/sys/devices/** r,
/proc/@{PID}/maps r,
/proc/@{PID}/mounts r,
/proc/@{PID}/mountinfo r,
/proc/@{PID}/oom_score_adj r,
##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/lib/** ix,
/lib64/** ix,
/bin/** ix,
/sbin/** ix,
/usr/bin/** ix,
/usr/sbin/** ix,
/usr/local/** ix,
/usr/lib/** ix,
/usr/games/** ix,
/opt/ r,
/opt/** r,
/opt/** ix,
#/home/** ix,
##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
##########
# There is no equivalent in Firejail for filtering signals.
##########
signal,
##########
# We let Firejail deal with capabilities.
##########
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
capability audit_write,
capability audit_control,
capability setfcap,
capability mac_override,
capability mac_admin,
##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,
}
|