Hi intrigeri, On Sun, Dec 16, 2018 at 02:14:54PM +0100, intrigeri wrote: > IIRC Chromium uses some operation guarded by ptrace to set up its > sandboxing or for communication between its components. Recent Firefox > does the same. It's quite common that a sandboxing technology requires > elevated privileges and here we're stacking 3 different ones > (Chromium's, Firejail, and AppArmor) so I'm not surprised that one of > them is broken by one of the 2 others. > > If this problem affects too many Firejail users who opt-in > for --apparmor, I would recommend documenting this rule in the > default profile: > > ptrace (read,readby) peer=firejail-default, > > I'll let the maintainer judge whether this should be enabled > by default. > > Other than this, it would be good if the "Usually this is needed only > for debugging" documentation string was updated a little bit to > reflect common current use cases of ptrace.
Thanks for the suggestion. I was unfamiliar with the example rule you provided above, so I looked it up. According to the AppArmor wiki [0] this finer-grained ptrace control is only available in AppArmor 3. But I can see it also being used in some profiles installed on my system. Has this feature been backported to version 2? Kind regards, Reiner [0] https://gitlab.com/apparmor/apparmor/wikis/TechnicalDoc_Proc_and_ptrace
signature.asc
Description: PGP signature
