From 0fccbef52b1e0d8b713c76d71220ae03bce8fb1a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 24 Aug 2025 22:06:34 +0200
Subject: [PATCH] feat(profile): improve firefox profiles.

---
 apparmor.d/abstractions/app/firefox            | 4 +++-
 apparmor.d/groups/browsers/firefox             | 8 ++++++--
 apparmor.d/groups/browsers/firefox-crashhelper | 5 +++++
 apparmor.d/profiles-s-z/thunderbird-glxtest    | 2 ++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 68fb14887..238bf9e8b 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -21,8 +21,9 @@
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.FileManager1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
-  include <abstractions/bus/org.freedesktop.timedate1>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/bus/org.freedesktop.timedate1>
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
@@ -98,6 +99,7 @@
         /var/tmp/ r,
   owner @{tmp}/@{name}/ rw,
   owner @{tmp}/@{name}/* rwk,
+  owner @{tmp}/@{rand6}.tmp rw,
   owner @{tmp}/firefox/ rw,
   owner @{tmp}/firefox/* rwk,
   owner @{tmp}/mozilla* rw,
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index bac81c847..f9ba190a3 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
 
   signal send set=(term, kill) peer=firefox//&keepassxc-proxy,
 
+  unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int},
+  unix type=seqpacket peer=(label=firefox-crashhelper),
+
   #aa:dbus own bus=session name=org.mozilla.firefox
   #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2
 
@@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   @{open_path}                                       rPx -> child-open,
 
   # Common extensions
+  @{bin}/browserpass                                           rPx,
+  @{bin}/keepassxc-proxy                                       rPx -> firefox//&keepassxc-proxy,
+  @{lib}/browserpass/browserpass-native                        rPx,
   /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp*  rPx,
-  @{bin}/browserpass         rPx,
-  @{bin}/keepassxc-proxy     rPx -> firefox//&keepassxc-proxy,
 
   owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
   owner @{user_config_dirs}/ibus/bus/ r,
diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper
index 55af7c2e2..8ffdccb67 100644
--- a/apparmor.d/groups/browsers/firefox-crashhelper
+++ b/apparmor.d/groups/browsers/firefox-crashhelper
@@ -15,11 +15,16 @@ include <tunables/global>
 profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  unix type=seqpacket peer=(label=firefox),
+
   @{exec_path} mr,
 
   owner "@{config_dirs}/firefox/Crash Reports/" rw,
   owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw,
 
+  # file_inherit
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
+
   include if exists <local/firefox-crashhelper>
 }
 
diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest
index 4dc891361..53fdb1ffd 100644
--- a/apparmor.d/profiles-s-z/thunderbird-glxtest
+++ b/apparmor.d/profiles-s-z/thunderbird-glxtest
@@ -18,6 +18,8 @@ profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/wayland>
   include <abstractions/X-strict>
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   / r,