summaryrefslogtreecommitdiffstats
path: root/apparmor-profiles/usr.lib.firefox-esr.firefox-esr
diff options
context:
space:
mode:
Diffstat (limited to 'apparmor-profiles/usr.lib.firefox-esr.firefox-esr')
-rw-r--r--apparmor-profiles/usr.lib.firefox-esr.firefox-esr158
1 files changed, 158 insertions, 0 deletions
diff --git a/apparmor-profiles/usr.lib.firefox-esr.firefox-esr b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr
new file mode 100644
index 0000000..61ba572
--- /dev/null
+++ b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr
@@ -0,0 +1,158 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/firefox-esr/firefox-esr {
+ #include <abstractions/audio>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-session>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/kde>
+ #include <abstractions/nameservice>
+
+ # for networking
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/[0-9]*/net/if_inet6 r,
+ @{PROC}/[0-9]*/net/ipv6_route r,
+
+ # should maybe be in abstractions
+ #/usr/share/xubuntu/applications/defaults.list r,
+ owner /tmp/** m,
+ owner /var/tmp/** m,
+ /tmp/.X[0-9]*-lock r,
+ /usr/share/glib-2.0/schemas/gschemas.compiled rm,
+ /usr/share/locale/** rm,
+ /usr/share/fonts/** rm,
+ /usr/share/icons/** rm,
+ /usr/share/mime/mime.cache rm,
+
+ /etc/timezone r,
+ /etc/wildmidi/wildmidi.cfg r,
+
+ /dev/dri/card0 rm,
+
+ # firefox specific
+ /etc/firefox-esr/ r,
+ /etc/firefox-esr/** r,
+ /etc/xul-ext/** r,
+ /etc/xulrunner{,-[0-9]*}/** r,
+ /etc/gre.d/* r,
+ /etc/mailcap r,
+ /etc/mime.types r,
+
+ # added
+ owner /run/user/1000/dconf/user rmw,
+ /usr/local/share/applications r,
+ /usr/local/share/applications/* r,
+ # for printing
+ /sys/devices/** r,
+ /run/udev/data/** r,
+ /etc/udev/udev.conf r,
+
+ # noisy
+ deny /usr/lib/firefox{,-[0-9]*}/** w,
+ deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
+ deny /usr/lib/xulrunner-*/components/*.tmp w,
+ deny /.suspended r,
+ deny /boot/initrd.img* r,
+ deny /boot/vmlinuz* r,
+ deny /var/cache/fontconfig/ w,
+
+ deny /usr/bin/gconftool-2 x,
+
+ # These are needed when a new user starts iceweasel and iceweasel.sh is used
+ /usr/lib/firefox-esr/** ixr,
+ deny /usr/lib/firefox/firefox.sh x,
+ /usr/bin/basename ixr,
+ /usr/bin/dirname ixr,
+ /usr/bin/pwd ixr,
+ /sbin/killall5 ixr,
+ /bin/which ixr,
+ /usr/bin/tr ixr,
+ @{PROC}/[0-9]*/cmdline r,
+ @{PROC}/[0-9]*/mountinfo r,
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/status r,
+ @{PROC}/[0-9]*/task/[0-9]*/stat r,
+
+ /etc/mtab r,
+ /etc/fstab r,
+
+ # Needed for the crash reporter
+ owner @{PROC}/[0-9]*/environ r,
+ owner @{PROC}/[0-9]*/auxv r,
+ /etc/lsb-release r,
+ /usr/bin/expr ix,
+
+ # Needed for container to work in xul builds
+ /usr/lib/xulrunner-*/plugin-container ixr,
+
+ # Make browsing directories work
+ # deaktivated, firefox should not be able
+ # to read the directory structure
+ #/ r,
+ #/**/ r,
+
+ # allow access to documentation and other files the user may want to look
+ # at in /usr
+ /usr/{include,share,src}/** r,
+ #hinzugefügt
+ /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k,
+ #allow firefox to open a pdf reader
+ /usr/bin/exo-open ix,
+ /usr/bin/evince rix,
+
+ /usr/share/xul-ext/** rm,
+
+ # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+ owner @{HOME}/ r,
+ owner @{HOME}/Öffentlich/ r,
+ owner @{HOME}/Öffentlich/** r,
+ owner @{HOME}/Downloads/ r,
+ owner @{HOME}/Downloads/** rw,
+ owner @{HOME}/.thumbnails/*/*.png r,
+ owner @{HOME}/.cache/thumbnails/*/*.png r,
+ #added, crashes otherwise
+ owner @{HOME}/.config/gtk-3.0/bookmarks r,
+ owner @{HOME}/.config/dconf/user rm,
+ owner @{HOME}/.cache/gstreamer-1.0/*.bin rm,
+
+ # per-user iceweasel configuration
+ owner @{HOME}/.{iceweasel,mozilla}/ rw,
+ owner @{HOME}/.{iceweasel,mozilla}/** rmw,
+ owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k,
+ owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm,
+ owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm,
+ owner @{HOME}/.gnome2/iceweasel*-bin-* rw,
+ #hinzugefügt
+ owner @{HOME}/.cache/mozilla/firefox/ rw,
+ owner @{HOME}/.cache/mozilla/firefox/** rwmk,
+
+ #
+ # Extensions
+ # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above.
+ # Allow 'x' for downloaded extensions, but inherit policy for safety
+ owner @{HOME}/.mozilla/**/extensions/** mixr,
+
+ deny /usr/lib/firefox{,-[0-9]*}/update.test w,
+ deny /usr/lib/mozilla/extensions/**/ w,
+ deny /usr/lib/xulrunner-addons/extensions/**/ w,
+ deny /usr/share/mozilla/extensions/**/ w,
+ deny /usr/share/mozilla/ w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ # Local path is disabled, we only enable them for profiles we promote
+ # out of extras.
+ ## include <local/usr.bin.iceweasel>
+}