Created
January 31, 2019 14:00
-
-
Save brimston3/7db29a500dad5a79550543092ff0a47a to your computer and use it in GitHub Desktop.
firefox customizations for esr.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # vim:syntax=apparmor | |
| # ------------------------------------------------------------------ | |
| # | |
| # Copyright (C) 2009-2011 Canonical Ltd. | |
| # | |
| # This program is free software; you can redistribute it and/or | |
| # modify it under the terms of version 2 of the GNU General Public | |
| # License published by the Free Software Foundation. | |
| # | |
| # ------------------------------------------------------------------ | |
| #include <tunables/global> | |
| # We want to confine the binaries that match: | |
| # /usr/lib/firefox-4.0b8/firefox | |
| # /usr/lib/firefox-4.0b8/firefox | |
| # but not: | |
| # /usr/lib/firefox-4.0b8/firefox.sh | |
| /usr/lib/firefox{,-esr,-[0-9]*}/firefox{,-esr,*[^s][^h]} { | |
| #include <abstractions/audio> | |
| #include <abstractions/cups-client> | |
| #include <abstractions/dbus-session> | |
| #include <abstractions/gnome> | |
| #include <abstractions/ibus> | |
| #include <abstractions/kde> | |
| #include <abstractions/nameservice> | |
| # for networking | |
| network inet stream, | |
| network inet6 stream, | |
| @{PROC}/@{pid}/net/if_inet6 r, | |
| @{PROC}/@{pid}/net/ipv6_route r, | |
| # should maybe be in abstractions | |
| /usr/share/xubuntu/applications/defaults.list r, | |
| owner /tmp/** m, | |
| owner /var/tmp/** m, | |
| /tmp/.X[0-9]*-lock r, | |
| /etc/timezone r, | |
| /etc/writable/timezone r, | |
| /etc/wildmidi/wildmidi.cfg r, | |
| # firefox specific | |
| /etc/firefox*/** r, | |
| /etc/xul-ext/** r, | |
| /etc/xulrunner{,-[0-9]*}/** r, | |
| /etc/gre.d/* r, | |
| /etc/mailcap r, | |
| /etc/mime.types r, | |
| # noisy | |
| deny /usr/lib/firefox{,-esr,-[0-9]*}/** w, | |
| deny /usr/{lib,share}/mozilla/** w, | |
| deny /usr/lib/{firefox,xulrunner}-addons/** w, | |
| deny /usr/lib/xulrunner-*/components/*.tmp w, | |
| deny /.suspended r, | |
| deny /boot/initrd.img* r, | |
| deny /boot/vmlinuz* r, | |
| deny /var/cache/fontconfig/ w, | |
| deny /proc/**/net/arp r, | |
| deny /usr/bin/gconftool-2 x, | |
| deny /**/dconf/user rw, | |
| #deny /sys/** rw, | |
| deny /sys/devices/system/cpu/** rw, | |
| # These are needed when a new user starts firefox and firefox.sh is used | |
| /usr/lib/firefox{,-esr,-[0-9]*}/** ixr, | |
| deny /usr/lib/firefox/firefox.sh x, | |
| /usr/bin/basename ixr, | |
| /usr/bin/dirname ixr, | |
| /usr/bin/pwd ixr, | |
| /{usr/,}sbin/killall5 ixr, | |
| /{usr/,}bin/which ixr, | |
| /usr/bin/tr ixr, | |
| @{PROC}/@{pid}/cmdline r, | |
| @{PROC}/@{pid}/mountinfo r, | |
| @{PROC}/@{pid}/stat r, | |
| @{PROC}/@{pid}/status r, | |
| @{PROC}/@{pid}/task/*/stat r, | |
| @{PROC}/modules r, | |
| /etc/mtab r, | |
| /etc/fstab r, | |
| /etc/ld.so.conf r, | |
| /etc/ld.so.conf.d/* r, | |
| # Needed for the crash reporter | |
| owner @{PROC}/@{pid}/environ r, | |
| owner @{PROC}/@{pid}/auxv r, | |
| /etc/lsb-release r, | |
| /usr/bin/expr ix, | |
| # Needed for container to work in xul builds | |
| /usr/lib/xulrunner-*/plugin-container ixr, | |
| /usr/lib/firefox{,-esr,-[0-9]*}/plugin-container ixr, | |
| # Make browsing directories work | |
| / r, | |
| /**/ r, | |
| # allow access to documentation and other files the user may want to look | |
| # at in /usr | |
| /usr/{include,share,src}/** r, | |
| # Default profile allows downloads to ~/Downloads and uploads from ~/Public | |
| owner @{HOME}/ r, | |
| owner @{HOME}/Public/ r, | |
| owner @{HOME}/Public/** r, | |
| owner @{HOME}/Downloads/ r, | |
| owner @{HOME}/Downloads/** rw, | |
| owner @{HOME}/.thumbnails/*/*.png r, | |
| # per-user firefox configuration | |
| owner @{HOME}/.{firefox,mozilla}/ rw, | |
| owner @{HOME}/.{firefox,mozilla}/** rw, | |
| owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, | |
| owner @{HOME}/.{firefox,mozilla}/plugins/** rm, | |
| owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm, | |
| owner @{HOME}/.gnome2/firefox*-bin-* rw, | |
| # per-user firefox cache | |
| owner @{HOME}/.cache/mozilla/firefox/ rw, | |
| owner @{HOME}/.cache/mozilla/firefox/** rw, | |
| owner @{HOME}/.cache/mozilla/firefox/**/*.{db,parentlock,sqlite}* k, | |
| # Don't know what this is, but it wants to make pipes here. | |
| /dev/shm/org.chromium.* rw, | |
| # needed for yubikey/u2f | |
| /etc/udev/udev.conf r, | |
| /sys/devices/**/usb*/**/hidraw/hidraw*/uevent r, | |
| /run/udev/data/* r, | |
| /dev/hidraw* rw, | |
| # | |
| # Extensions | |
| # /usr/share/.../extensions/... is already covered by '/usr/.../** r', above. | |
| # Allow 'x' for downloaded extensions, but inherit policy for safety | |
| owner @{HOME}/.mozilla/**/extensions/** mixr, | |
| deny /usr/lib/firefox{,-esr,-[0-9]*}/update.test w, | |
| deny /usr/lib/firefox-esr/browser/extensions w, | |
| deny /usr/lib/mozilla/extensions/**/ w, | |
| deny /usr/lib/xulrunner-addons/extensions/**/ w, | |
| deny /usr/share/mozilla/extensions/**/ w, | |
| deny /usr/share/mozilla/ w, | |
| # Site-specific additions and overrides. See local/README for details. | |
| # Local path is disabled, we only enable them for profiles we promote | |
| # out of extras. | |
| ## include <local/usr.bin.firefox> | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment