felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Ubuntu 22.04, third batch (#65)

Browse source 
* initial

* ready

* cleanup

* cleanup2

* Update dbus-gtk
This commit is contained in:
nobodysu 2022-09-06 17:00:18 +00:00 committed by GitHub
parent 672d0a758b
commit 1649b427f8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 272 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

113
apparmor.d/groups/browsers/firefox
View file

@ -9,7 +9,8 @@ abi <abi/3.0>,
include <tunables/global>
@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
@{MOZ_LIBDIR} += /opt/firefox{,-esr}
@{MOZ_HOMEDIR} = @{HOME}/.mozilla
@{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
profile firefox @{exec_path} flags=(attach_disconnected) {
@ -17,8 +18,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio>
include <abstractions/dconf-write>
include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
@ -31,6 +32,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/user-read>
include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
capability sys_admin, # If kernel.unprivileged_userns_clone = 1
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
@ -46,6 +50,83 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
network inet6 stream,
network netlink raw,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=SettingChanged
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={GetAll,Read}
peer=(name=:*),
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name=org.freedesktop.UPower),
dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit
interface=org.freedesktop.PowerManagement.Inhibit
member=Inhibit
peer=(name=org.freedesktop.PowerManagement),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID}
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="{org.freedesktop.DBus,:*}"),
dbus receive bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.Playlists
member=GetPlaylists
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/login[0-9]*
interface=org.freedesktop.login[0-9]*.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
peer=(name=:*),
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=GetTreeFromDevice
peer=(name=:*),
dbus send bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox
member=OpenURL
peer=(name=org.mozilla.firefox.* label=firefox),
dbus receive bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox
member=OpenURL
peer=(name=:* label=firefox),
dbus bind bus=session
name=org.mpris.MediaPlayer2.firefox.*,
dbus bind bus=session
name=org.mozilla.firefox.*,
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
@ -59,8 +140,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{libexec}/gvfsd-metadata rPx,
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/gpa rPUx,
/{usr/,}bin/keepassxc-proxy rPUx,
/{usr/,}bin/gpa rPx,
/{usr/,}bin/keepassxc-proxy rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/update-mime-database rPx,
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
@ -81,6 +162,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx,
/{usr/,}bin/evince rPx,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/{usr/,}lib/mozilla/plugins/ r,
@ -88,13 +170,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/usr/share/doc/{,**} r,
/usr/share/egl/{,**} r,
/usr/share/firefox/{,**} r,
/usr/share/firefox{,-esr}/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mozilla/extensions/{,**} r,
/usr/share/webext/{,**} r,
/usr/share/xul-ext/kwallet5/* r,
/etc/firefox/{,**} r,
/etc/firefox{,-esr}/{,**} r,
/etc/fstab r,
/etc/igfx_user_feature{,_next}.txt w,
/etc/libva.conf r,
@ -103,8 +185,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/etc/opensc.conf r,
/etc/xul-ext/kwallet5.js r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# gnome-tiny
@{run}/mount/utab r,
owner @{HOME}/ r,
@ -118,7 +200,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_cache_dirs}/ rw,
@ -130,14 +212,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw,
/var/tmp/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/firefox_*/ rw,
owner /tmp/firefox_*/* rwk,
owner /tmp/firefox/ rw,
owner /tmp/firefox/* rwk,
owner /tmp/firefox{,-esr}/ rw,
owner /tmp/firefox{,-esr}/* rwk,
owner /tmp/mozilla_*/ rw,
owner /tmp/mozilla_*/* rw,
owner /tmp/Temp-*/ rw,
@ -171,6 +254,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/statm r,
@ -189,10 +273,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
deny /dev/shm/ r,
# Silencer
deny /{usr/,}lib/firefox/** w,
deny @{MOZ_LIBDIR}/** w,
deny capability sys_ptrace,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
deny owner @{HOME}/.* r,
deny /tmp/MozillaUpdateLock-* w,
profile open {
include <abstractions/base>
@ -203,7 +288,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix,
/{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
@ -221,6 +306,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx,
/{usr/,}bin/evince rPx,
/usr/share/xfce4/exo/exo-compose-mail rPx,
owner @{HOME}/ r,
@ -230,6 +316,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/firefox_open>
}
include if exists <local/firefox>