summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--apparmor-profiles/usr.lib.firefox-esr.firefox-esr (renamed from apparmor-profiles/usr.lib.iceweasel.iceweasel)46
1 files changed, 26 insertions, 20 deletions
diff --git a/apparmor-profiles/usr.lib.iceweasel.iceweasel b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr
index 719d499..61ba572 100644
--- a/apparmor-profiles/usr.lib.iceweasel.iceweasel
+++ b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr
@@ -11,12 +11,7 @@
#include <tunables/global>
-# We want to confine the binaries that match:
-# /usr/lib/iceweasel-4.0b8/iceweasel
-# /usr/lib/iceweasel-4.0b8/iceweasel
-# but not:
-# /usr/lib/iceweasel-4.0b8/iceweasel.sh
-/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} {
+/usr/lib/firefox-esr/firefox-esr {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
@@ -36,12 +31,20 @@
owner /tmp/** m,
owner /var/tmp/** m,
/tmp/.X[0-9]*-lock r,
+ /usr/share/glib-2.0/schemas/gschemas.compiled rm,
+ /usr/share/locale/** rm,
+ /usr/share/fonts/** rm,
+ /usr/share/icons/** rm,
+ /usr/share/mime/mime.cache rm,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
- # iceweasel specific
- /etc/iceweasel*/** r,
+ /dev/dri/card0 rm,
+
+ # firefox specific
+ /etc/firefox-esr/ r,
+ /etc/firefox-esr/** r,
/etc/xul-ext/** r,
/etc/xulrunner{,-[0-9]*}/** r,
/etc/gre.d/* r,
@@ -49,7 +52,7 @@
/etc/mime.types r,
# added
- owner /run/user/1000/dconf/user rw,
+ owner /run/user/1000/dconf/user rmw,
/usr/local/share/applications r,
/usr/local/share/applications/* r,
# for printing
@@ -58,7 +61,7 @@
/etc/udev/udev.conf r,
# noisy
- deny /usr/lib/iceweasel{,-[0-9]*}/** w,
+ deny /usr/lib/firefox{,-[0-9]*}/** w,
deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
@@ -69,8 +72,8 @@
deny /usr/bin/gconftool-2 x,
# These are needed when a new user starts iceweasel and iceweasel.sh is used
- /usr/lib/iceweasel{,-[0-9]*}/** ixr,
- deny /usr/lib/iceweasel/iceweasel.sh x,
+ /usr/lib/firefox-esr/** ixr,
+ deny /usr/lib/firefox/firefox.sh x,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
@@ -96,7 +99,8 @@
/usr/lib/xulrunner-*/plugin-container ixr,
# Make browsing directories work
- # deaktivated, iceweasel should not be able to read directory structure
+ # deaktivated, firefox should not be able
+ # to read the directory structure
#/ r,
#/**/ r,
@@ -105,12 +109,14 @@
/usr/{include,share,src}/** r,
#hinzugefügt
/usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k,
- #allow Iceweasel to open a pdf reader
+ #allow firefox to open a pdf reader
/usr/bin/exo-open ix,
/usr/bin/evince rix,
+ /usr/share/xul-ext/** rm,
+
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
- # owner @{HOME}/ r,
+ owner @{HOME}/ r,
owner @{HOME}/Öffentlich/ r,
owner @{HOME}/Öffentlich/** r,
owner @{HOME}/Downloads/ r,
@@ -119,19 +125,19 @@
owner @{HOME}/.cache/thumbnails/*/*.png r,
#added, crashes otherwise
owner @{HOME}/.config/gtk-3.0/bookmarks r,
- owner @{HOME}/.config/dconf/user r,
- owner @{HOME}/.cache/gstreamer-1.0/*.bin r,
+ owner @{HOME}/.config/dconf/user rm,
+ owner @{HOME}/.cache/gstreamer-1.0/*.bin rm,
# per-user iceweasel configuration
owner @{HOME}/.{iceweasel,mozilla}/ rw,
- owner @{HOME}/.{iceweasel,mozilla}/** rw,
+ owner @{HOME}/.{iceweasel,mozilla}/** rmw,
owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm,
owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm,
owner @{HOME}/.gnome2/iceweasel*-bin-* rw,
#hinzugefügt
owner @{HOME}/.cache/mozilla/firefox/ rw,
- owner @{HOME}/.cache/mozilla/firefox/** rwk,
+ owner @{HOME}/.cache/mozilla/firefox/** rwmk,
#
# Extensions
@@ -139,7 +145,7 @@
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
- deny /usr/lib/iceweasel{,-[0-9]*}/update.test w,
+ deny /usr/lib/firefox{,-[0-9]*}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,