summaryrefslogtreecommitdiffstats
path: root/apparmor-profiles/usr.lib.firefox-esr.firefox-esr
blob: 61ba5720b3f457bb75496bec49132e8c1b458f8d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

/usr/lib/firefox-esr/firefox-esr {
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/kde>
  #include <abstractions/nameservice>

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

  # should maybe be in abstractions
  #/usr/share/xubuntu/applications/defaults.list r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  /tmp/.X[0-9]*-lock r,
  /usr/share/glib-2.0/schemas/gschemas.compiled rm,
  /usr/share/locale/** rm,
  /usr/share/fonts/** rm,
  /usr/share/icons/** rm,
  /usr/share/mime/mime.cache rm,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  /dev/dri/card0 rm,

  # firefox specific
  /etc/firefox-esr/ r,
  /etc/firefox-esr/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner{,-[0-9]*}/** r,
  /etc/gre.d/* r,
  /etc/mailcap r,
  /etc/mime.types r,
  
  # added
  owner /run/user/1000/dconf/user rmw,
  /usr/local/share/applications r,
  /usr/local/share/applications/* r,
  # for printing
  /sys/devices/** r,
  /run/udev/data/** r,
  /etc/udev/udev.conf r, 

  # noisy
  deny /usr/lib/firefox{,-[0-9]*}/** w,
  deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,

  deny /usr/bin/gconftool-2 x,

  # These are needed when a new user starts iceweasel and iceweasel.sh is used
  /usr/lib/firefox-esr/** ixr,
  deny /usr/lib/firefox/firefox.sh x,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/pwd ixr,
  /sbin/killall5 ixr,
  /bin/which ixr,
  /usr/bin/tr ixr,
  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  @{PROC}/[0-9]*/status r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,  

  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/environ r,
  owner @{PROC}/[0-9]*/auxv r,
  /etc/lsb-release r,
  /usr/bin/expr ix,

  # Needed for container to work in xul builds
  /usr/lib/xulrunner-*/plugin-container ixr,

  # Make browsing directories work
  # deaktivated, firefox should not be able
  # to read the directory structure
  #/ r,
  #/**/ r,

  # allow access to documentation and other files the user may want to look
  # at in /usr
  /usr/{include,share,src}/** r,
  #hinzugefügt
  /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k,
  #allow firefox to open a pdf reader
  /usr/bin/exo-open ix,
  /usr/bin/evince rix,

  /usr/share/xul-ext/** rm,

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  owner @{HOME}/ r,
  owner @{HOME}/Öffentlich/ r,
  owner @{HOME}/Öffentlich/** r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/** rw,
  owner @{HOME}/.thumbnails/*/*.png r,
  owner @{HOME}/.cache/thumbnails/*/*.png r,
  #added, crashes otherwise
  owner @{HOME}/.config/gtk-3.0/bookmarks r,  
  owner @{HOME}/.config/dconf/user rm,
  owner @{HOME}/.cache/gstreamer-1.0/*.bin rm,

  # per-user iceweasel configuration
  owner @{HOME}/.{iceweasel,mozilla}/ rw,
  owner @{HOME}/.{iceweasel,mozilla}/** rmw,
  owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm,
  owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm,
  owner @{HOME}/.gnome2/iceweasel*-bin-* rw,
  #hinzugefügt
  owner @{HOME}/.cache/mozilla/firefox/ rw,
  owner @{HOME}/.cache/mozilla/firefox/** rwmk,  
  
  #
  # Extensions
  # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above.
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner @{HOME}/.mozilla/**/extensions/** mixr,

  deny /usr/lib/firefox{,-[0-9]*}/update.test w,
  deny /usr/lib/mozilla/extensions/**/ w,
  deny /usr/lib/xulrunner-addons/extensions/**/ w,
  deny /usr/share/mozilla/extensions/**/ w,
  deny /usr/share/mozilla/ w,

  # Site-specific additions and overrides. See local/README for details.
  # Local path is disabled, we only enable them for profiles we promote
  # out of extras.
  ## include <local/usr.bin.iceweasel>
}