diff options
| author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-06-23 15:54:36 +0200 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2016-06-23 15:54:36 +0200 |
| commit | 5ed044ee229432f1127861b9925672b6c937f914 (patch) | |
| tree | 0c7109c90c147f6fa43afe43f7dd15a296babd6f /apparmor-profiles | |
| parent | 20928c61adb680a5ff8a3bf4ccd037e6cfeb6fc2 (diff) | |
| download | config-5ed044ee229432f1127861b9925672b6c937f914.zip config-5ed044ee229432f1127861b9925672b6c937f914.tar.gz config-5ed044ee229432f1127861b9925672b6c937f914.tar.bz2 | |
updated firefox-esr profile
Debian changed the naming scheme from Iceweasel back to Firefox
profile now also works with a grsecurity kernel
Signed-off-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
Diffstat (limited to 'apparmor-profiles')
| -rw-r--r-- | apparmor-profiles/usr.lib.firefox-esr.firefox-esr (renamed from apparmor-profiles/usr.lib.iceweasel.iceweasel) | 46 |
1 files changed, 26 insertions, 20 deletions
diff --git a/apparmor-profiles/usr.lib.iceweasel.iceweasel b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr index 719d499..61ba572 100644 --- a/apparmor-profiles/usr.lib.iceweasel.iceweasel +++ b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr @@ -11,12 +11,7 @@ #include <tunables/global> -# We want to confine the binaries that match: -# /usr/lib/iceweasel-4.0b8/iceweasel -# /usr/lib/iceweasel-4.0b8/iceweasel -# but not: -# /usr/lib/iceweasel-4.0b8/iceweasel.sh -/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} { +/usr/lib/firefox-esr/firefox-esr { #include <abstractions/audio> #include <abstractions/cups-client> #include <abstractions/dbus-session> @@ -36,12 +31,20 @@ owner /tmp/** m, owner /var/tmp/** m, /tmp/.X[0-9]*-lock r, + /usr/share/glib-2.0/schemas/gschemas.compiled rm, + /usr/share/locale/** rm, + /usr/share/fonts/** rm, + /usr/share/icons/** rm, + /usr/share/mime/mime.cache rm, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, - # iceweasel specific - /etc/iceweasel*/** r, + /dev/dri/card0 rm, + + # firefox specific + /etc/firefox-esr/ r, + /etc/firefox-esr/** r, /etc/xul-ext/** r, /etc/xulrunner{,-[0-9]*}/** r, /etc/gre.d/* r, @@ -49,7 +52,7 @@ /etc/mime.types r, # added - owner /run/user/1000/dconf/user rw, + owner /run/user/1000/dconf/user rmw, /usr/local/share/applications r, /usr/local/share/applications/* r, # for printing @@ -58,7 +61,7 @@ /etc/udev/udev.conf r, # noisy - deny /usr/lib/iceweasel{,-[0-9]*}/** w, + deny /usr/lib/firefox{,-[0-9]*}/** w, deny /usr/lib/{iceweasel,xulrunner}-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, @@ -69,8 +72,8 @@ deny /usr/bin/gconftool-2 x, # These are needed when a new user starts iceweasel and iceweasel.sh is used - /usr/lib/iceweasel{,-[0-9]*}/** ixr, - deny /usr/lib/iceweasel/iceweasel.sh x, + /usr/lib/firefox-esr/** ixr, + deny /usr/lib/firefox/firefox.sh x, /usr/bin/basename ixr, /usr/bin/dirname ixr, /usr/bin/pwd ixr, @@ -96,7 +99,8 @@ /usr/lib/xulrunner-*/plugin-container ixr, # Make browsing directories work - # deaktivated, iceweasel should not be able to read directory structure + # deaktivated, firefox should not be able + # to read the directory structure #/ r, #/**/ r, @@ -105,12 +109,14 @@ /usr/{include,share,src}/** r, #hinzugefügt /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k, - #allow Iceweasel to open a pdf reader + #allow firefox to open a pdf reader /usr/bin/exo-open ix, /usr/bin/evince rix, + /usr/share/xul-ext/** rm, + # Default profile allows downloads to ~/Downloads and uploads from ~/Public - # owner @{HOME}/ r, + owner @{HOME}/ r, owner @{HOME}/Öffentlich/ r, owner @{HOME}/Öffentlich/** r, owner @{HOME}/Downloads/ r, @@ -119,19 +125,19 @@ owner @{HOME}/.cache/thumbnails/*/*.png r, #added, crashes otherwise owner @{HOME}/.config/gtk-3.0/bookmarks r, - owner @{HOME}/.config/dconf/user r, - owner @{HOME}/.cache/gstreamer-1.0/*.bin r, + owner @{HOME}/.config/dconf/user rm, + owner @{HOME}/.cache/gstreamer-1.0/*.bin rm, # per-user iceweasel configuration owner @{HOME}/.{iceweasel,mozilla}/ rw, - owner @{HOME}/.{iceweasel,mozilla}/** rw, + owner @{HOME}/.{iceweasel,mozilla}/** rmw, owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm, owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm, owner @{HOME}/.gnome2/iceweasel*-bin-* rw, #hinzugefügt owner @{HOME}/.cache/mozilla/firefox/ rw, - owner @{HOME}/.cache/mozilla/firefox/** rwk, + owner @{HOME}/.cache/mozilla/firefox/** rwmk, # # Extensions @@ -139,7 +145,7 @@ # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.mozilla/**/extensions/** mixr, - deny /usr/lib/iceweasel{,-[0-9]*}/update.test w, + deny /usr/lib/firefox{,-[0-9]*}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, |