summaryrefslogtreecommitdiffstats
path: root/apparmor-profiles/usr.lib.iceweasel.iceweasel
blob: 719d4998c901063dc863c9cbe9675b4600c80eaa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#include <tunables/global>

# We want to confine the binaries that match:
#  /usr/lib/iceweasel-4.0b8/iceweasel
#  /usr/lib/iceweasel-4.0b8/iceweasel
# but not:
#  /usr/lib/iceweasel-4.0b8/iceweasel.sh
/usr/lib/iceweasel{,-[0-9]*}/iceweasel{,*[^s][^h]} {
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/kde>
  #include <abstractions/nameservice>

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,

  # should maybe be in abstractions
  #/usr/share/xubuntu/applications/defaults.list r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  /tmp/.X[0-9]*-lock r,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # iceweasel specific
  /etc/iceweasel*/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner{,-[0-9]*}/** r,
  /etc/gre.d/* r,
  /etc/mailcap r,
  /etc/mime.types r,
  
  # added
  owner /run/user/1000/dconf/user rw,
  /usr/local/share/applications r,
  /usr/local/share/applications/* r,
  # for printing
  /sys/devices/** r,
  /run/udev/data/** r,
  /etc/udev/udev.conf r, 

  # noisy
  deny /usr/lib/iceweasel{,-[0-9]*}/** w,
  deny /usr/lib/{iceweasel,xulrunner}-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,

  deny /usr/bin/gconftool-2 x,

  # These are needed when a new user starts iceweasel and iceweasel.sh is used
  /usr/lib/iceweasel{,-[0-9]*}/** ixr,
  deny /usr/lib/iceweasel/iceweasel.sh x,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/pwd ixr,
  /sbin/killall5 ixr,
  /bin/which ixr,
  /usr/bin/tr ixr,
  @{PROC}/[0-9]*/cmdline r,
  @{PROC}/[0-9]*/mountinfo r,
  @{PROC}/[0-9]*/stat r,
  @{PROC}/[0-9]*/status r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,  

  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/environ r,
  owner @{PROC}/[0-9]*/auxv r,
  /etc/lsb-release r,
  /usr/bin/expr ix,

  # Needed for container to work in xul builds
  /usr/lib/xulrunner-*/plugin-container ixr,

  # Make browsing directories work
  # deaktivated, iceweasel should not be able to read directory structure
  #/ r,
  #/**/ r,

  # allow access to documentation and other files the user may want to look
  # at in /usr
  /usr/{include,share,src}/** r,
  #hinzugefügt
  /usr/share/xul-ext/https-everywhere/defaults/rulesets.sqlite k,
  #allow Iceweasel to open a pdf reader
  /usr/bin/exo-open ix,
  /usr/bin/evince rix,

  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  # owner @{HOME}/ r,
  owner @{HOME}/Öffentlich/ r,
  owner @{HOME}/Öffentlich/** r,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/** rw,
  owner @{HOME}/.thumbnails/*/*.png r,
  owner @{HOME}/.cache/thumbnails/*/*.png r,
  #added, crashes otherwise
  owner @{HOME}/.config/gtk-3.0/bookmarks r,  
  owner @{HOME}/.config/dconf/user r,
  owner @{HOME}/.cache/gstreamer-1.0/*.bin r,

  # per-user iceweasel configuration
  owner @{HOME}/.{iceweasel,mozilla}/ rw,
  owner @{HOME}/.{iceweasel,mozilla}/** rw,
  owner @{HOME}/.{iceweasel,mozilla}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{iceweasel,mozilla}/plugins/** rm,
  owner @{HOME}/.{iceweasel,mozilla}/**/plugins/** rm,
  owner @{HOME}/.gnome2/iceweasel*-bin-* rw,
  #hinzugefügt
  owner @{HOME}/.cache/mozilla/firefox/ rw,
  owner @{HOME}/.cache/mozilla/firefox/** rwk,  
  
  #
  # Extensions
  # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above.
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner @{HOME}/.mozilla/**/extensions/** mixr,

  deny /usr/lib/iceweasel{,-[0-9]*}/update.test w,
  deny /usr/lib/mozilla/extensions/**/ w,
  deny /usr/lib/xulrunner-addons/extensions/**/ w,
  deny /usr/share/mozilla/extensions/**/ w,
  deny /usr/share/mozilla/ w,

  # Site-specific additions and overrides. See local/README for details.
  # Local path is disabled, we only enable them for profiles we promote
  # out of extras.
  ## include <local/usr.bin.iceweasel>
}