228 lines
6.4 KiB
Plaintext
228 lines
6.4 KiB
Plaintext
# vim:syntax=apparmor
|
|
# Author: Jamie Strandboge <jamie@canonical.com>
|
|
|
|
# Declare an apparmor variable to help with overrides
|
|
@{MOZ_LIBDIR}=/usr/lib/firefox
|
|
|
|
#include <tunables/global>
|
|
|
|
# We want to confine the binaries that match:
|
|
# /usr/lib/firefox/firefox
|
|
# /usr/lib/firefox/firefox
|
|
# but not:
|
|
# /usr/lib/firefox/firefox.sh
|
|
/usr/lib/firefox/firefox{,*[^s][^h]} {
|
|
#include <abstractions/audio>
|
|
#include <abstractions/cups-client>
|
|
#include <abstractions/dbus-strict>
|
|
#include <abstractions/dbus-session-strict>
|
|
#include <abstractions/dconf>
|
|
#include <abstractions/gnome>
|
|
#include <abstractions/ibus>
|
|
#include <abstractions/nameservice>
|
|
#include <abstractions/openssl>
|
|
#include <abstractions/p11-kit>
|
|
#include <abstractions/ubuntu-unity7-base>
|
|
#include <abstractions/ubuntu-unity7-launcher>
|
|
|
|
#include <abstractions/dbus-accessibility-strict>
|
|
dbus (send)
|
|
bus=session
|
|
peer=(name=org.a11y.Bus),
|
|
dbus (receive)
|
|
bus=session
|
|
interface=org.a11y.atspi**,
|
|
dbus (receive, send)
|
|
bus=accessibility,
|
|
|
|
# for networking
|
|
network inet stream,
|
|
network inet6 stream,
|
|
@{PROC}/[0-9]*/net/if_inet6 r,
|
|
@{PROC}/[0-9]*/net/ipv6_route r,
|
|
@{PROC}/[0-9]*/net/dev r,
|
|
@{PROC}/[0-9]*/net/wireless r,
|
|
dbus (send)
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager
|
|
member=state,
|
|
dbus (receive)
|
|
bus=system
|
|
path=/org/freedesktop/NetworkManager,
|
|
|
|
# should maybe be in abstractions
|
|
/etc/ r,
|
|
/etc/mime.types r,
|
|
/etc/mailcap r,
|
|
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
|
|
/etc/xfce4/defaults.list r,
|
|
/usr/share/xubuntu/applications/defaults.list r,
|
|
owner @{HOME}/.local/share/applications/defaults.list r,
|
|
owner @{HOME}/.local/share/applications/mimeapps.list r,
|
|
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
|
|
owner /tmp/** m,
|
|
owner /var/tmp/** m,
|
|
owner /{,var/}run/shm/shmfd-* rw,
|
|
/tmp/.X[0-9]*-lock r,
|
|
/etc/udev/udev.conf r,
|
|
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
|
|
# Possibly move to an abstraction if anything else needs it.
|
|
deny /run/udev/data/** r,
|
|
# let the shell know we launched something
|
|
dbus (send)
|
|
bus=session
|
|
interface=org.gtk.gio.DesktopAppInfo
|
|
member=Launched,
|
|
|
|
/etc/timezone r,
|
|
/etc/wildmidi/wildmidi.cfg r,
|
|
|
|
# firefox specific
|
|
/etc/firefox*/ r,
|
|
/etc/firefox*/** r,
|
|
/etc/xul-ext/** r,
|
|
/etc/xulrunner-2.0*/ r,
|
|
/etc/xulrunner-2.0*/** r,
|
|
/etc/gre.d/ r,
|
|
/etc/gre.d/* r,
|
|
|
|
# noisy
|
|
deny @{MOZ_LIBDIR}/** w,
|
|
deny /usr/lib/firefox-addons/** w,
|
|
deny /usr/lib/xulrunner-addons/** w,
|
|
deny /usr/lib/xulrunner-*/components/*.tmp w,
|
|
deny /.suspended r,
|
|
deny /boot/initrd.img* r,
|
|
deny /boot/vmlinuz* r,
|
|
deny /var/cache/fontconfig/ w,
|
|
deny @{HOME}/.local/share/recently-used.xbel r,
|
|
|
|
# TODO: investigate
|
|
deny /usr/bin/gconftool-2 x,
|
|
|
|
# These are needed when a new user starts firefox and firefox.sh is used
|
|
@{MOZ_LIBDIR}/** ixr,
|
|
/usr/bin/basename ixr,
|
|
/usr/bin/dirname ixr,
|
|
/usr/bin/pwd ixr,
|
|
/sbin/killall5 ixr,
|
|
/bin/which ixr,
|
|
/usr/bin/tr ixr,
|
|
@{PROC}/ r,
|
|
@{PROC}/[0-9]*/cmdline r,
|
|
@{PROC}/[0-9]*/mountinfo r,
|
|
@{PROC}/[0-9]*/stat r,
|
|
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
|
|
@{PROC}/[0-9]*/status r,
|
|
@{PROC}/filesystems r,
|
|
@{PROC}/sys/vm/overcommit_memory r,
|
|
/sys/devices/pci[0-9]*/**/uevent r,
|
|
/sys/devices/platform/**/uevent r,
|
|
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
|
|
owner @{HOME}/.cache/thumbnails/** rw,
|
|
|
|
/etc/mtab r,
|
|
/etc/fstab r,
|
|
|
|
# Needed for the crash reporter
|
|
owner @{PROC}/[0-9]*/environ r,
|
|
owner @{PROC}/[0-9]*/auxv r,
|
|
/etc/lsb-release r,
|
|
/usr/bin/expr ix,
|
|
/sys/devices/system/cpu/ r,
|
|
/sys/devices/system/cpu/** r,
|
|
|
|
# about:memory
|
|
owner @{PROC}/[0-9]*/statm r,
|
|
owner @{PROC}/[0-9]*/smaps r,
|
|
|
|
# Needed for container to work in xul builds
|
|
/usr/lib/xulrunner-*/plugin-container ixr,
|
|
|
|
# allow access to documentation and other files the user may want to look
|
|
# at in /usr and /opt
|
|
/usr/ r,
|
|
/usr/** r,
|
|
/opt/ r,
|
|
/opt/** r,
|
|
|
|
# so browsing directories works
|
|
/ r,
|
|
/**/ r,
|
|
|
|
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
|
|
owner @{HOME}/ r,
|
|
owner @{HOME}/Public/ r,
|
|
owner @{HOME}/Public/* r,
|
|
owner @{HOME}/Downloads/ r,
|
|
owner @{HOME}/Downloads/* rw,
|
|
|
|
# per-user firefox configuration
|
|
owner @{HOME}/.{firefox,mozilla}/ rw,
|
|
owner @{HOME}/.{firefox,mozilla}/** rw,
|
|
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
|
|
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
|
|
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
|
|
owner @{HOME}/.gnome2/firefox* rwk,
|
|
owner @{HOME}/.cache/mozilla/{,firefox/} rw,
|
|
owner @{HOME}/.cache/mozilla/firefox/** rw,
|
|
owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
|
|
owner @{HOME}/.config/gtk-3.0/bookmarks r,
|
|
owner @{HOME}/.config/dconf/user w,
|
|
owner /{,var/}run/user/*/dconf/user w,
|
|
dbus (send)
|
|
bus=session
|
|
path=/org/gnome/GConf/Server
|
|
member=GetDefaultDatabase,
|
|
dbus (send)
|
|
bus=session
|
|
path=/org/gnome/GConf/Database/*
|
|
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
|
|
|
|
#
|
|
# Extensions
|
|
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
|
|
# Allow 'x' for downloaded extensions, but inherit policy for safety
|
|
owner @{HOME}/.mozilla/**/extensions/** mixr,
|
|
|
|
deny @{MOZ_LIBDIR}/update.test w,
|
|
deny /usr/lib/mozilla/extensions/**/ w,
|
|
deny /usr/lib/xulrunner-addons/extensions/**/ w,
|
|
deny /usr/share/mozilla/extensions/**/ w,
|
|
deny /usr/share/mozilla/ w,
|
|
|
|
# Miscellaneous (to be abstracted)
|
|
# Ideally these would use a child profile. They are all ELF executables
|
|
# so running with 'Ux', while not ideal, is ok because we will at least
|
|
# benefit from glibc's secure execute.
|
|
/usr/bin/mkfifo Uxr, # investigate
|
|
/bin/ps Uxr,
|
|
/bin/uname Uxr,
|
|
|
|
/usr/bin/lsb_release Cxr -> lsb_release,
|
|
profile lsb_release {
|
|
#include <abstractions/base>
|
|
#include <abstractions/python>
|
|
/usr/bin/lsb_release r,
|
|
/bin/dash ixr,
|
|
/usr/bin/dpkg-query ixr,
|
|
/usr/include/python2.[4567]/pyconfig.h r,
|
|
/etc/lsb-release r,
|
|
/etc/debian_version r,
|
|
/var/lib/dpkg/** r,
|
|
|
|
/usr/local/lib/python3.[0-4]/dist-packages/ r,
|
|
/usr/bin/ r,
|
|
/usr/bin/python3.[0-4] r,
|
|
|
|
# file_inherit
|
|
deny /tmp/gtalkplugin.log w,
|
|
}
|
|
|
|
# Addons
|
|
#include <abstractions/ubuntu-browsers.d/firefox>
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.bin.firefox>
|
|
}
|