user restrictions #4067

New issue

Closed

opened 2026-05-05 10:13:10 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:13:10 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/1775
Author: @Vincent43
Created: 2/14/2018
Status: ✅ Merged
Merged: 2/19/2018
Merged by: @Vincent43

Base: master ← Head: patch-1

📝 Commits (1)

cc1c524 Apparmor: don't duplicate userspace /run/user restrictions

📊 Changes

1 file changed (+6 additions, -14 deletions)

View changed files

📝 etc/firejail-default (+6 -14)

📄 Description

Currently userspace firejail do blacklist approach to /run/user/ directory. By default it blacklists /run/user/**/systemd and /run/user/**/gnupg. Additional restrictions can be enabled in profiles like blacklisting /run/user/**/bus , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening.

In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and apparmor profile is global. It's even worse as firejail blacklist can be disabled with writable-run-user command which means we have to whitelist literally everything under /run/user/ to not cause breakages when using apparmor.

The solution for all above is to leave handling of /run/user to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do on its own.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/1775 **Author:** [@Vincent43](https://github.com/Vincent43) **Created:** 2/14/2018 **Status:** ✅ Merged **Merged:** 2/19/2018 **Merged by:** [@Vincent43](https://github.com/Vincent43) **Base:** `master` ← **Head:** `patch-1` --- ### 📝 Commits (1) - [`cc1c524`](https://github.com/netblue30/firejail/commit/cc1c524098c9453dcc03ef60095e61de4555bf29) Apparmor: don't duplicate userspace /run/user restrictions ### 📊 Changes **1 file changed** (+6 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `etc/firejail-default` (+6 -14) </details> ### 📄 Description Currently userspace firejail do blacklist approach to `/run/user/` directory. By default it blacklists `/run/user/**/systemd` and `/run/user/**/gnupg`. Additional restrictions can be enabled in profiles like blacklisting `/run/user/**/bus` , etc. The blacklist can be extended or degraded by profile which allows for fine grained hardening. In apparmor we do whitelist approach instead. It means we have to explicitly enable access to every file which firejail already allow access. This duplicates functionality and amount of work to do. Moreover we end up with same list of allowed files as every one of them is used by some app and apparmor profile is global. It's even worse as firejail blacklist can be disabled with `writable-run-user` command which means we have to whitelist literally everything under `/run/user/` to not cause breakages when using apparmor. The solution for all above is to leave handling of `/run/user` to userspace firejail which is better tool to do this. In apparmor we should only handle things which firejail can't do on its own. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:13:10 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4067

No description provided.

Rows
Columns