From 5ed044ee229432f1127861b9925672b6c937f914 Mon Sep 17 00:00:00 2001 From: Wolfgang Wiedmeyer Date: Thu, 23 Jun 2016 15:54:36 +0200 Subject: updated firefox-esr profile Debian changed the naming scheme from Iceweasel back to Firefox profile now also works with a grsecurity kernel Signed-off-by: Wolfgang Wiedmeyer --- apparmor-profiles/usr.lib.firefox-esr.firefox-esr | 158 ++++++++++++++++++++++ apparmor-profiles/usr.lib.iceweasel.iceweasel | 152 --------------------- 2 files changed, 158 insertions(+), 152 deletions(-) create mode 100644 apparmor-profiles/usr.lib.firefox-esr.firefox-esr delete mode 100644 apparmor-profiles/usr.lib.iceweasel.iceweasel diff --git a/apparmor-profiles/usr.lib.firefox-esr.firefox-esr b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr new file mode 100644 index 0000000..61ba572 --- /dev/null +++ b/apparmor-profiles/usr.lib.firefox-esr.firefox-esr @@ -0,0 +1,158 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/firefox-esr/firefox-esr { + #include + #include + #include + #include + #include + #include + #include + + # for networking + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + # should maybe be in abstractions + #/usr/share/xubuntu/applications/defaults.list r, + owner /tmp/** m, + owner /var/tmp/** m, + /tmp/.X[0-9]*-lock r, + /usr/share/glib-2.0/schemas/gschemas.compiled rm, + /usr/share/locale/** rm, + /usr/share/fonts/** rm, + /usr/share/icons/** rm, + /usr/share/mime/mime.cache rm, + + /etc/timezone r, + /etc/wildmidi/wildmidi.cfg r, + + /dev/dri/card0 rm, + + # firefox specific + /etc/firefox-esr/ r, + /etc/firefox-esr/** r, + /etc/xul-ext/** r, + /etc/xulrunner{,-[0-9]*}/** r, + /etc/gre.d/* r, + /etc/mailcap r, + /etc/mime.types r, + + # added + owner /run/user/1000/dconf/user rmw, + /usr/local/share/applications r, + /usr/local/share/applications/* r, + # for printing + /sys/devices/** r, + /run/udev/data/** r, + /etc/udev/udev.conf r, + + # noisy + deny /usr/lib/firefox{,-[0-9]*}/** w, + deny /usr/lib/{iceweasel,xulrunner}-addons/** w, + deny /usr/lib/xulrunner-*/components/*.tmp w, + deny /.suspended r, + deny /boot/initrd.img* r, + deny /boot/vmlinuz* r, + deny /var/cache/fontconfig/ w, + + deny /usr/bin/gconftool-2 x, + + # These are needed when a new user starts iceweasel and iceweasel.sh is used + /usr/lib/firefox-esr/** ixr, + deny /usr/lib/firefox/firefox.sh x, + /usr/bin/basename ixr, + /usr/bin/dirname ixr, + /usr/bin/pwd ixr, + /sbin/killall5 ixr, + /bin/which ixr, + /usr/bin/tr ixr, + @{PROC}/[0-9]*/cmdline r, + @{PROC}/[0-9]*/mountinfo r, + @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/task/[0-9]*/stat r, + + /etc/mtab r, + /etc/fstab r, + + # Needed for the crash reporter + owner @{PROC}/[0-9]*/environ r, + owner @{PROC}/[0-9]*/auxv r, + /etc/lsb-release r, + /usr/bin/expr ix, + + # Needed for container to work in xul builds + /usr/lib/xulrunner-*/plugin-container ixr, + + # Make browsing directories work + # deaktivated, firefox should not be able + # to read the directory structure + #/ r, + #/**/ r, + + # allow access to documentation and other files the user may want to look + # at in /usr + /usr/{include,share,src}/** r, + #hinzugefügt + /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k, + #allow firefox to open a pdf reader + /usr/bin/exo-open ix, + /usr/bin/evince rix, + + /usr/share/xul-ext/** rm, + + # Default profile allows downloads to ~/Downloads and uploads from ~/Public + owner @{HOME}/ r, + owner @{HOME}/Öffentlich/ r, + owner @{HOME}/Öffentlich/** r, + owner @{HOME}/Downloads/ r, + owner @{HOME}/Downloads/** rw, + owner @{HOME}/.thumbnails/*/*.png r, + owner @{HOME}/.cache/thumbnails/*/*.png r, + #added, crashes otherwise + owner @{HOME}/.config/gtk-3.0/bookmarks r, + owner @{HOME}/.config/dconf/user rm, + owner @{HOME}/.cache/gstreamer-1.0/*.bin rm, + + # per-user iceweasel configuration + owner @{HOME}/.{iceweasel,mozilla}/ rw, + owner @{HOME}/.{iceweasel,mozilla}/** rmw, + owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k, + owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm, + owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm, + owner @{HOME}/.gnome2/iceweasel*-bin-* rw, + #hinzugefügt + owner @{HOME}/.cache/mozilla/firefox/ rw, + owner @{HOME}/.cache/mozilla/firefox/** rwmk, + + # + # Extensions + # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above. + # Allow 'x' for downloaded extensions, but inherit policy for safety + owner @{HOME}/.mozilla/**/extensions/** mixr, + + deny /usr/lib/firefox{,-[0-9]*}/update.test w, + deny /usr/lib/mozilla/extensions/**/ w, + deny /usr/lib/xulrunner-addons/extensions/**/ w, + deny /usr/share/mozilla/extensions/**/ w, + deny /usr/share/mozilla/ w, + + # Site-specific additions and overrides. See local/README for details. + # Local path is disabled, we only enable them for profiles we promote + # out of extras. + ## include +} diff --git a/apparmor-profiles/usr.lib.iceweasel.iceweasel b/apparmor-profiles/usr.lib.iceweasel.iceweasel deleted file mode 100644 index 719d499..0000000 --- a/apparmor-profiles/usr.lib.iceweasel.iceweasel +++ /dev/null @@ -1,152 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2009-2011 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -#include - -# We want to confine the binaries that match: -# /usr/lib/iceweasel-4.0b8/iceweasel -# /usr/lib/iceweasel-4.0b8/iceweasel -# but not: -# /usr/lib/iceweasel-4.0b8/iceweasel.sh -/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} { - #include - #include - #include - #include - #include - #include - #include - - # for networking - network inet stream, - network inet6 stream, - @{PROC}/[0-9]*/net/if_inet6 r, - @{PROC}/[0-9]*/net/ipv6_route r, - - # should maybe be in abstractions - #/usr/share/xubuntu/applications/defaults.list r, - owner /tmp/** m, - owner /var/tmp/** m, - /tmp/.X[0-9]*-lock r, - - /etc/timezone r, - /etc/wildmidi/wildmidi.cfg r, - - # iceweasel specific - /etc/iceweasel*/** r, - /etc/xul-ext/** r, - /etc/xulrunner{,-[0-9]*}/** r, - /etc/gre.d/* r, - /etc/mailcap r, - /etc/mime.types r, - - # added - owner /run/user/1000/dconf/user rw, - /usr/local/share/applications r, - /usr/local/share/applications/* r, - # for printing - /sys/devices/** r, - /run/udev/data/** r, - /etc/udev/udev.conf r, - - # noisy - deny /usr/lib/iceweasel{,-[0-9]*}/** w, - deny /usr/lib/{iceweasel,xulrunner}-addons/** w, - deny /usr/lib/xulrunner-*/components/*.tmp w, - deny /.suspended r, - deny /boot/initrd.img* r, - deny /boot/vmlinuz* r, - deny /var/cache/fontconfig/ w, - - deny /usr/bin/gconftool-2 x, - - # These are needed when a new user starts iceweasel and iceweasel.sh is used - /usr/lib/iceweasel{,-[0-9]*}/** ixr, - deny /usr/lib/iceweasel/iceweasel.sh x, - /usr/bin/basename ixr, - /usr/bin/dirname ixr, - /usr/bin/pwd ixr, - /sbin/killall5 ixr, - /bin/which ixr, - /usr/bin/tr ixr, - @{PROC}/[0-9]*/cmdline r, - @{PROC}/[0-9]*/mountinfo r, - @{PROC}/[0-9]*/stat r, - @{PROC}/[0-9]*/status r, - @{PROC}/[0-9]*/task/[0-9]*/stat r, - - /etc/mtab r, - /etc/fstab r, - - # Needed for the crash reporter - owner @{PROC}/[0-9]*/environ r, - owner @{PROC}/[0-9]*/auxv r, - /etc/lsb-release r, - /usr/bin/expr ix, - - # Needed for container to work in xul builds - /usr/lib/xulrunner-*/plugin-container ixr, - - # Make browsing directories work - # deaktivated, iceweasel should not be able to read directory structure - #/ r, - #/**/ r, - - # allow access to documentation and other files the user may want to look - # at in /usr - /usr/{include,share,src}/** r, - #hinzugefügt - /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k, - #allow Iceweasel to open a pdf reader - /usr/bin/exo-open ix, - /usr/bin/evince rix, - - # Default profile allows downloads to ~/Downloads and uploads from ~/Public - # owner @{HOME}/ r, - owner @{HOME}/Öffentlich/ r, - owner @{HOME}/Öffentlich/** r, - owner @{HOME}/Downloads/ r, - owner @{HOME}/Downloads/** rw, - owner @{HOME}/.thumbnails/*/*.png r, - owner @{HOME}/.cache/thumbnails/*/*.png r, - #added, crashes otherwise - owner @{HOME}/.config/gtk-3.0/bookmarks r, - owner @{HOME}/.config/dconf/user r, - owner @{HOME}/.cache/gstreamer-1.0/*.bin r, - - # per-user iceweasel configuration - owner @{HOME}/.{iceweasel,mozilla}/ rw, - owner @{HOME}/.{iceweasel,mozilla}/** rw, - owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k, - owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm, - owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm, - owner @{HOME}/.gnome2/iceweasel*-bin-* rw, - #hinzugefügt - owner @{HOME}/.cache/mozilla/firefox/ rw, - owner @{HOME}/.cache/mozilla/firefox/** rwk, - - # - # Extensions - # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above. - # Allow 'x' for downloaded extensions, but inherit policy for safety - owner @{HOME}/.mozilla/**/extensions/** mixr, - - deny /usr/lib/iceweasel{,-[0-9]*}/update.test w, - deny /usr/lib/mozilla/extensions/**/ w, - deny /usr/lib/xulrunner-addons/extensions/**/ w, - deny /usr/share/mozilla/extensions/**/ w, - deny /usr/share/mozilla/ w, - - # Site-specific additions and overrides. See local/README for details. - # Local path is disabled, we only enable them for profiles we promote - # out of extras. - ## include -} -- cgit v1.1