diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-06-23 15:54:36 +0200 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-06-23 15:54:36 +0200 |
commit | 5ed044ee229432f1127861b9925672b6c937f914 (patch) | |
tree | 0c7109c90c147f6fa43afe43f7dd15a296babd6f /apparmor-profiles/usr.lib.firefox-esr.firefox-esr | |
parent | 20928c61adb680a5ff8a3bf4ccd037e6cfeb6fc2 (diff) | |
download | config-5ed044ee229432f1127861b9925672b6c937f914.zip config-5ed044ee229432f1127861b9925672b6c937f914.tar.gz config-5ed044ee229432f1127861b9925672b6c937f914.tar.bz2 |
updated firefox-esr profile
Debian changed the naming scheme from Iceweasel back to Firefox
profile now also works with a grsecurity kernel
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Diffstat (limited to 'apparmor-profiles/usr.lib.firefox-esr.firefox-esr')
-rw-r--r-- | apparmor-profiles/usr.lib.firefox-esr.firefox-esr | 158 |
1 files changed, 158 insertions, 0 deletions
diff --git a/apparmor-profiles/usr.lib.firefox-esr.firefox-esr b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr new file mode 100644 index 0000000..61ba572 --- /dev/null +++ b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr @@ -0,0 +1,158 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include <tunables/global> + +/usr/lib/firefox-esr/firefox-esr { + #include <abstractions/audio> + #include <abstractions/cups-client> + #include <abstractions/dbus-session> + #include <abstractions/gnome> + #include <abstractions/ibus> + #include <abstractions/kde> + #include <abstractions/nameservice> + + # for networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + # should maybe be in abstractions + #/usr/share/xubuntu/applications/defaults.list r, + owner /tmp/** m, + owner /var/tmp/** m, + /tmp/.X[0-9]*-lock r, + /usr/share/glib-2.0/schemas/gschemas.compiled rm, + /usr/share/locale/** rm, + /usr/share/fonts/** rm, + /usr/share/icons/** rm, + /usr/share/mime/mime.cache rm, + + /etc/timezone r, + /etc/wildmidi/wildmidi.cfg r, + + /dev/dri/card0 rm, + + # firefox specific + /etc/firefox-esr/ r, + /etc/firefox-esr/** r, + /etc/xul-ext/** r, + /etc/xulrunner{,-[0-9]*}/** r, + /etc/gre.d/* r, + /etc/mailcap r, + /etc/mime.types r, + + # added + owner /run/user/1000/dconf/user rmw, + /usr/local/share/applications r, + /usr/local/share/applications/* r, + # for printing + /sys/devices/** r, + /run/udev/data/** r, + /etc/udev/udev.conf r, + + # noisy + deny /usr/lib/firefox{,-[0-9]*}/** w, + deny /usr/lib/{iceweasel,xulrunner}-addons/** w, + deny /usr/lib/xulrunner-*/components/*.tmp w, + deny /.suspended r, + deny /boot/initrd.img* r, + deny /boot/vmlinuz* r, + deny /var/cache/fontconfig/ w, + + deny /usr/bin/gconftool-2 x, + + # These are needed when a new user starts iceweasel and iceweasel.sh is used + /usr/lib/firefox-esr/** ixr, + deny /usr/lib/firefox/firefox.sh x, + /usr/bin/basename ixr, + /usr/bin/dirname ixr, + /usr/bin/pwd ixr, + /sbin/killall5 ixr, + /bin/which ixr, + /usr/bin/tr ixr, + @{PROC}/[0-9]*/cmdline r, + @{PROC}/[0-9]*/mountinfo r, + @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /etc/mtab r, + /etc/fstab r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/environ r, + owner @{PROC}/[0-9]*/auxv r, + /etc/lsb-release r, + /usr/bin/expr ix, + + # Needed for container to work in xul builds + /usr/lib/xulrunner-*/plugin-container ixr, + + # Make browsing directories work + # deaktivated, firefox should not be able + # to read the directory structure + #/ r, + #/**/ r, + + # allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}/** r, + #hinzugefügt + /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k, + #allow firefox to open a pdf reader + /usr/bin/exo-open ix, + /usr/bin/evince rix, + + /usr/share/xul-ext/** rm, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + owner @{HOME}/ r, + owner @{HOME}/Öffentlich/ r, + owner @{HOME}/Öffentlich/** r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/** rw, + owner @{HOME}/.thumbnails/*/*.png r, + owner @{HOME}/.cache/thumbnails/*/*.png r, + #added, crashes otherwise + owner @{HOME}/.config/gtk-3.0/bookmarks r, + owner @{HOME}/.config/dconf/user rm, + owner @{HOME}/.cache/gstreamer-1.0/*.bin rm, + + # per-user iceweasel configuration + owner @{HOME}/.{iceweasel,mozilla}/ rw, + owner @{HOME}/.{iceweasel,mozilla}/** rmw, + owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k, + owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm, + owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm, + owner @{HOME}/.gnome2/iceweasel*-bin-* rw, + #hinzugefügt + owner @{HOME}/.cache/mozilla/firefox/ rw, + owner @{HOME}/.cache/mozilla/firefox/** rwmk, + + # + # Extensions + # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above. + # Allow 'x' for downloaded extensions, but inherit policy for safety + owner @{HOME}/.mozilla/**/extensions/** mixr, + + deny /usr/lib/firefox{,-[0-9]*}/update.test w, + deny /usr/lib/mozilla/extensions/**/ w, + deny /usr/lib/xulrunner-addons/extensions/**/ w, + deny /usr/share/mozilla/extensions/**/ w, + deny /usr/share/mozilla/ w, + + # Site-specific additions and overrides. See local/README for details. + # Local path is disabled, we only enable them for profiles we promote + # out of extras. + ## include <local/usr.bin.iceweasel> +} |