# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

# We want to confine the binaries that match:
#  /usr/lib/iceweasel-4.0b8/iceweasel
#  /usr/lib/iceweasel-4.0b8/iceweasel
# but not:
#  /usr/lib/iceweasel-4.0b8/iceweasel.sh
/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} {
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/kde>
  #include <abstractions/nameservice>

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

  # should maybe be in abstractions
  #/usr/share/xubuntu/applications/defaults.list r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  /tmp/.X[0-9]*-lock r,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # iceweasel specific
  /etc/iceweasel*/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner{,-[0-9]*}/** r,
  /etc/gre.d/* r,
  /etc/mailcap r,
  /etc/mime.types r,
  
  #selbst eingefuegt
  owner /run/user/1000/dconf/user rw,
  /usr/local/share/applications r,
  /usr/local/share/applications/* r,
  #for printing
  /sys/devices/** r,
  /run/udev/data/** r,
  /etc/udev/udev.conf r, 

  # noisy
  deny /usr/lib/iceweasel{,-[0-9]*}/** w,
  deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,

  deny /usr/bin/gconftool-2 x,

  # These are needed when a new user starts iceweasel and iceweasel.sh is used
  /usr/lib/iceweasel{,-[0-9]*}/** ixr,
  deny /usr/lib/iceweasel/iceweasel.sh x,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/pwd ixr,
  /sbin/killall5 ixr,
  /bin/which ixr,
  /usr/bin/tr ixr,
  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  @{PROC}/[0-9]*/status r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,  

  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/environ r,
  owner @{PROC}/[0-9]*/auxv r,
  /etc/lsb-release r,
  /usr/bin/expr ix,

  # Needed for container to work in xul builds
  /usr/lib/xulrunner-*/plugin-container ixr,

  # Make browsing directories work
  #auch mal deaktivieren
  #/ r,
  #/**/ r,

  # allow access to documentation and other files the user may want to look
  # at in /usr
  /usr/{include,share,src}/** r,
  #hinzugefügt
  /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k,
  #um das Öffnen externer Programme zu ermöglichen
  /usr/bin/exo-open ix,
  /usr/bin/evince rix,

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  # owner @{HOME}/ r,
  owner @{HOME}/Öffentlich/ r,
  owner @{HOME}/Öffentlich/** r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/** rw,
  owner @{HOME}/.thumbnails/*/*.png r,
  owner @{HOME}/.cache/thumbnails/*/*.png r,
  #added, crashes otherwise
  owner @{HOME}/.config/gtk-3.0/bookmarks r,  
  owner @{HOME}/.config/dconf/user r,
  owner @{HOME}/.cache/gstreamer-1.0/*.bin r,

  # per-user iceweasel configuration
  owner @{HOME}/.{iceweasel,mozilla}/ rw,
  owner @{HOME}/.{iceweasel,mozilla}/** rw,
  owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm,
  owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm,
  owner @{HOME}/.gnome2/iceweasel*-bin-* rw,
  #hinzugefügt
  owner @{HOME}/.cache/mozilla/firefox/ rw,
  owner @{HOME}/.cache/mozilla/firefox/** rwk,  
  
  #
  # Extensions
  # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above.
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner @{HOME}/.mozilla/**/extensions/** mixr,

  deny /usr/lib/iceweasel{,-[0-9]*}/update.test w,
  deny /usr/lib/mozilla/extensions/**/ w,
  deny /usr/lib/xulrunner-addons/extensions/**/ w,
  deny /usr/share/mozilla/extensions/**/ w,
  deny /usr/share/mozilla/ w,

  # Site-specific additions and overrides. See local/README for details.
  # Local path is disabled, we only enable them for profiles we promote
  # out of extras.
  ## include <local/usr.bin.iceweasel>
}