diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 094963089..997c163ea 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -6,11 +6,11 @@ # (like electron) use abstractions/chromium-common instead. # This abstraction requires the following variables definied in the profile header: -# @{chromium_name} = chromium -# @{chromium_domain} = org.chromium.Chromium -# @{chromium_lib_dirs} = @{lib}/chromium -# @{chromium_config_dirs} = @{user_config_dirs}/chromium -# @{chromium_cache_dirs} = @{user_cache_dirs}/chromium +# @{name} = chromium +# @{domain} = org.chromium.Chromium +# @{lib_dirs} = @{lib}/chromium +# @{config_dirs} = @{user_config_dirs}/chromium +# @{cache_dirs} = @{user_cache_dirs}/chromium abi , @@ -55,9 +55,9 @@ network inet6 stream, network netlink raw, - @{chromium_lib_dirs}/{,**} r, - @{chromium_lib_dirs}/chrome_crashpad_handler rPx, - @{chromium_lib_dirs}/chrome-sandbox rPx, + @{lib_dirs}/{,**} r, + @{lib_dirs}/chrome_crashpad_handler rPx, + @{lib_dirs}/chrome-sandbox rPx, # Desktop integration @{bin}/lsb_release rPx -> lsb_release, @@ -87,14 +87,14 @@ @{bin}/chrome-gnome-shell rPx, @{bin}/gnome-browser-connector-host rPx, - /usr/share/@{chromium_name}/{,**} r, + /usr/share/@{name}/{,**} r, /usr/share/chromium/extensions/{,**} r, /usr/share/egl/{,**} r, /usr/share/libdrm/*.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, - /etc/@{chromium_name}/{,**} r, + /etc/@{name}/{,**} r, /etc/fstab r, /etc/libva.conf r, /etc/opensc.conf r, @@ -115,13 +115,13 @@ owner @{user_config_dirs}/ r, owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/.@{chromium_domain}.* rw, + owner @{user_share_dirs}/.@{domain}.* rw, - owner @{chromium_config_dirs}/ rw, - owner @{chromium_config_dirs}/** rwk, - owner @{chromium_config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, + owner @{config_dirs}/ rw, + owner @{config_dirs}/** rwk, + owner @{config_dirs}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, - owner @{chromium_cache_dirs}/{,**} rw, + owner @{cache_dirs}/{,**} rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -135,16 +135,16 @@ /tmp/ r, /var/tmp/ r, - owner /tmp/.@{chromium_domain}.* rw, - owner /tmp/.@{chromium_domain}*/{,**} rw, - owner /tmp/@{chromium_name}-crashlog-@{int}-@{int}.txt rw, + owner /tmp/.@{domain}.* rw, + owner /tmp/.@{domain}*/{,**} rw, + owner /tmp/@{name}-crashlog-@{int}-@{int}.txt rw, owner /tmp/scoped_dir*/{,**} rw, owner /tmp/tmp.* rw, owner /tmp/tmp.*/ rw, owner /tmp/tmp.*/** rwk, /dev/shm/ r, - owner /dev/shm/.@{chromium_domain}* rw, + owner /dev/shm/.@{domain}* rw, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -198,7 +198,7 @@ owner /dev/tty@{int} rw, # Silencer - deny @{chromium_lib_dirs}/** w, + deny @{lib_dirs}/** w, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 4d087c650..753e622a9 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -7,13 +7,13 @@ abi , include -@{chromium_name} = brave{,-beta,-dev,-bin} -@{chromium_domain} = com.brave.Brave -@{chromium_lib_dirs} = /opt/brave{-bin,.com}/@{chromium_name} -@{chromium_config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{chromium_cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{name} = brave{,-beta,-dev,-bin} +@{domain} = com.brave.Brave +@{lib_dirs} = /opt/brave{-bin,.com}/@{name} +@{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} +@{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} -@{exec_path} = @{chromium_lib_dirs}{,/@{chromium_name}} +@{exec_path} = @{lib_dirs}{,/@{name}} profile brave @{exec_path} { include include @@ -22,8 +22,8 @@ profile brave @{exec_path} { @{bin}/man rPUx, # For "brave --help" - @{chromium_lib_dirs}/swiftshader/libGLESv2.so mr, - @{chromium_lib_dirs}/swiftshader/libEGL.so mr, + @{lib_dirs}/swiftshader/libGLESv2.so mr, + @{lib_dirs}/swiftshader/libEGL.so mr, /usr/share/chromium/extensions/ r, @@ -33,8 +33,8 @@ profile brave @{exec_path} { owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, - owner @{chromium_config_dirs}/WidevineCdm/libwidevinecdm.so mrw, - owner @{chromium_cache_dirs}/BraveSoftware/ rw, + owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw, + owner @{cache_dirs}/BraveSoftware/ rw, owner /tmp/net-export/ rw, # For brave://net-export/ diff --git a/apparmor.d/groups/browsers/brave-sandbox b/apparmor.d/groups/browsers/brave-sandbox index 417f0f269..a396816da 100644 --- a/apparmor.d/groups/browsers/brave-sandbox +++ b/apparmor.d/groups/browsers/brave-sandbox @@ -7,9 +7,9 @@ abi , include -@{chromium_lib_dirs} = /opt/brave.com/brave{,-beta,-dev} /opt/brave-bin/brave{,-beta,-dev} +@{lib_dirs} = /opt/brave.com/brave{,-beta,-dev} /opt/brave-bin/brave{,-beta,-dev} -@{exec_path} = @{chromium_lib_dirs}/{brave,chrome}-sandbox +@{exec_path} = @{lib_dirs}/{brave,chrome}-sandbox profile brave-sandbox @{exec_path} { include @@ -21,7 +21,7 @@ profile brave-sandbox @{exec_path} { @{exec_path} mr, - @{chromium_lib_dirs}/brave rPx, + @{lib_dirs}/brave rPx, @{PROC} r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index a5adcfb80..90d447e6a 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -7,9 +7,9 @@ abi , include -@{chromium_lib_dirs} = /opt/brave.com/brave{,-beta,-dev} /opt/brave-bin/brave{,-beta,-dev} +@{lib_dirs} = /opt/brave.com/brave{,-beta,-dev} /opt/brave-bin/brave{,-beta,-dev} -@{exec_path} = @{chromium_lib_dirs}/brave-browser{,-beta,-dev} +@{exec_path} = @{lib_dirs}/brave-browser{,-beta,-dev} profile brave-wrapper @{exec_path} { include include @@ -24,7 +24,7 @@ profile brave-wrapper @{exec_path} { @{bin}/touch rix, @{bin}/which{,.debianutils} rix, - @{chromium_lib_dirs}/brave rPx, + @{lib_dirs}/brave rPx, owner @{PROC}/@{pid}/fd/ w, diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome index e1b2a7782..8ce6a2591 100644 --- a/apparmor.d/groups/browsers/chrome +++ b/apparmor.d/groups/browsers/chrome @@ -7,13 +7,13 @@ abi , include -@{chromium_name} = chrome{,-beta,-stable,-unstable} -@{chromium_domain} = com.google.Chrome -@{chromium_lib_dirs} = /opt/google/@{chromium_name} -@{chromium_config_dirs} = @{user_config_dirs}/google-@{chromium_name} -@{chromium_cache_dirs} = @{user_cache_dirs}/google-@{chromium_name} +@{name} = chrome{,-beta,-stable,-unstable} +@{domain} = com.google.Chrome +@{lib_dirs} = /opt/google/@{name} +@{config_dirs} = @{user_config_dirs}/google-@{name} +@{cache_dirs} = @{user_cache_dirs}/google-@{name} -@{exec_path} = @{chromium_lib_dirs}/@{chromium_name} +@{exec_path} = @{lib_dirs}/@{name} profile chrome @{exec_path} { include include @@ -22,16 +22,16 @@ profile chrome @{exec_path} { @{bin}/man rPUx, # For "chrome --help" - @{chromium_lib_dirs}/google-@{chromium_name} rPx, + @{lib_dirs}/google-@{name} rPx, - @{chromium_lib_dirs}/nacl_helper rix, - @{chromium_lib_dirs}/xdg-mime rix, #-> xdg-mime, - @{chromium_lib_dirs}/xdg-settings rix, #-> xdg-settings, + @{lib_dirs}/nacl_helper rix, + @{lib_dirs}/xdg-mime rix, #-> xdg-mime, + @{lib_dirs}/xdg-settings rix, #-> xdg-settings, - @{chromium_lib_dirs}/*.so* mr, - @{chromium_lib_dirs}/libwidevinecdm.so mr, - @{chromium_lib_dirs}/libwidevinecdmadapter.so mr, - @{chromium_lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, + @{lib_dirs}/*.so* mr, + @{lib_dirs}/libwidevinecdm.so mr, + @{lib_dirs}/libwidevinecdmadapter.so mr, + @{lib_dirs}/WidevineCdm/_platform_specific/linux_*/libwidevinecdm.so mr, include if exists } diff --git a/apparmor.d/groups/browsers/chrome-crashpad-handler b/apparmor.d/groups/browsers/chrome-crashpad-handler index 0c0365971..6f196a5df 100644 --- a/apparmor.d/groups/browsers/chrome-crashpad-handler +++ b/apparmor.d/groups/browsers/chrome-crashpad-handler @@ -7,10 +7,10 @@ abi , include -@{chromium_lib_dirs} = /opt/google/chrome{,-beta,-unstable} -@{chromium_config_dirs} = @{user_config_dirs}/google-chrome{,-beta,-unstable} +@{lib_dirs} = /opt/google/chrome{,-beta,-unstable} +@{config_dirs} = @{user_config_dirs}/google-chrome{,-beta,-unstable} -@{exec_path} = @{chromium_lib_dirs}/chrome_crashpad_handler +@{exec_path} = @{lib_dirs}/chrome_crashpad_handler profile chrome-crashpad-handler @{exec_path} { include @@ -21,7 +21,7 @@ profile chrome-crashpad-handler @{exec_path} { @{exec_path} mrix, - owner "@{chromium_config_dirs}/Crash Reports/**" rwk, + owner "@{config_dirs}/Crash Reports/**" rwk, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/browsers/chrome-sandbox b/apparmor.d/groups/browsers/chrome-sandbox index 95152871c..82d19dfa3 100644 --- a/apparmor.d/groups/browsers/chrome-sandbox +++ b/apparmor.d/groups/browsers/chrome-sandbox @@ -7,9 +7,9 @@ abi , include -@{chromium_lib_dirs} = /opt/google/chrome{,-stable,-beta,-unstable} +@{lib_dirs} = /opt/google/chrome{,-stable,-beta,-unstable} -@{exec_path} = @{chromium_lib_dirs}/chrome-sandbox +@{exec_path} = @{lib_dirs}/chrome-sandbox profile chrome-sandbox @{exec_path} { include @@ -21,8 +21,8 @@ profile chrome-sandbox @{exec_path} { @{exec_path} mr, - @{chromium_lib_dirs}/chrome rPx, - @{chromium_lib_dirs}/nacl_helper rix, + @{lib_dirs}/chrome rPx, + @{lib_dirs}/nacl_helper rix, @{PROC} r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index b21cd1c5a..0c2043b3b 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -7,9 +7,9 @@ abi , include -@{chromium_lib_dirs} = /opt/google/chrome{,-beta,-unstable} +@{lib_dirs} = /opt/google/chrome{,-beta,-unstable} -@{exec_path} = @{chromium_lib_dirs}/google-chrome{,-beta,-unstable} +@{exec_path} = @{lib_dirs}/google-chrome{,-beta,-unstable} profile chrome-wrapper @{exec_path} { include include @@ -24,7 +24,7 @@ profile chrome-wrapper @{exec_path} { @{bin}/touch rix, @{bin}/which{,.debianutils} rix, - @{chromium_lib_dirs}/chrome rPx, + @{lib_dirs}/chrome rPx, owner @{user_config_dirs}/chrome-flags.conf r, diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 6c5675523..82bfd6970 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -7,13 +7,13 @@ abi , include -@{chromium_name} = chromium -@{chromium_domain} = org.chromium.Chromium -@{chromium_lib_dirs} = @{lib}/@{chromium_name} -@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} -@{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name} +@{name} = chromium +@{domain} = org.chromium.Chromium +@{lib_dirs} = @{lib}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{chromium_lib_dirs}/@{chromium_name} +@{exec_path} = @{lib_dirs}/@{name} profile chromium @{exec_path} { include include diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler index dc47a5328..ff903a3df 100644 --- a/apparmor.d/groups/browsers/chromium-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-crashpad-handler @@ -7,7 +7,7 @@ abi , include -@{chromium_config_dirs} = @{user_config_dirs}/chromium +@{config_dirs} = @{user_config_dirs}/chromium @{exec_path} = @{lib}/chromium/chrome_crashpad_handler profile chromium-crashpad-handler @{exec_path} { @@ -20,7 +20,7 @@ profile chromium-crashpad-handler @{exec_path} { @{exec_path} mrix, - owner "@{chromium_config_dirs}/Crash Reports/**" rwk, + owner "@{config_dirs}/Crash Reports/**" rwk, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 4e352790a..b71e7bbc9 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -7,12 +7,12 @@ abi , include -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} -@{firefox_config_dirs} = @{HOME}/.mozilla/ -@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ -@{exec_path} = @{bin}/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name} +@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include include @@ -133,14 +133,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/expr rix, - @{firefox_lib_dirs}/{,**} r, - @{firefox_lib_dirs}/*.so mr, - @{firefox_lib_dirs}/crashreporter rPx, - @{firefox_lib_dirs}/glxtest rPx, - @{firefox_lib_dirs}/minidump-analyzer rPx, - @{firefox_lib_dirs}/pingsender rPx, - @{firefox_lib_dirs}/plugin-container rPx, - @{firefox_lib_dirs}/vaapitest rPx, + @{lib_dirs}/{,**} r, + @{lib_dirs}/*.so mr, + @{lib_dirs}/crashreporter rPx, + @{lib_dirs}/glxtest rPx, + @{lib_dirs}/minidump-analyzer rPx, + @{lib_dirs}/pingsender rPx, + @{lib_dirs}/plugin-container rPx, + @{lib_dirs}/vaapitest rPx, @{lib}/mozilla/kmozillahelper rPUx, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @@ -164,7 +164,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # As a temporary solution - see issue #128 @{bin}/keepassxc-proxy rix, - /usr/share/@{firefox_name}/{,**} r, + /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, @@ -173,7 +173,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/@{firefox_name}/{,**} r, + /etc/@{name}/{,**} r, /etc/cups/client.conf r, /etc/fstab r, /etc/igfx_user_feature{,_next}.txt w, @@ -205,18 +205,18 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, - owner @{firefox_config_dirs}/ rw, - owner @{firefox_config_dirs}/{extensions,systemextensionsdev}/ rw, - owner @{firefox_config_dirs}/extensions/\{*\}/ r, - owner @{firefox_config_dirs}/firefox/ rw, - owner @{firefox_config_dirs}/firefox/*/ rw, - owner @{firefox_config_dirs}/firefox/*/** rwk, - owner @{firefox_config_dirs}/firefox/installs.ini rw, - owner @{firefox_config_dirs}/firefox/profiles.ini rw, - owner @{firefox_config_dirs}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, + owner @{config_dirs}/ rw, + owner @{config_dirs}/{extensions,systemextensionsdev}/ rw, + owner @{config_dirs}/extensions/\{*\}/ r, + owner @{config_dirs}/firefox/ rw, + owner @{config_dirs}/firefox/*/ rw, + owner @{config_dirs}/firefox/*/** rwk, + owner @{config_dirs}/firefox/installs.ini rw, + owner @{config_dirs}/firefox/profiles.ini rw, + owner @{config_dirs}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, - owner @{firefox_cache_dirs}/ rw, - owner @{firefox_cache_dirs}/** rwk, + owner @{cache_dirs}/ rw, + owner @{cache_dirs}/** rwk, /tmp/ r, /var/tmp/ r, @@ -224,10 +224,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner /tmp/user/@{uid}/* rwk, owner /tmp/user/@{uid}/Temp-*/ rw, owner /tmp/user/@{uid}/Temp-*/* rwk, - owner /tmp/user/@{uid}/@{firefox_name}/ rw, - owner /tmp/user/@{uid}/@{firefox_name}/* rwk, - owner /tmp/@{firefox_name}/ rw, - owner /tmp/@{firefox_name}/* rwk, + owner /tmp/user/@{uid}/@{name}/ rw, + owner /tmp/user/@{uid}/@{name}/* rwk, + owner /tmp/@{name}/ rw, + owner /tmp/@{name}/* rwk, owner /tmp/* rw, owner /tmp/firefox_*/ rw, owner /tmp/firefox_*/* rwk, @@ -295,7 +295,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /tmp/.X0-lock r, # Silencer - deny @{firefox_lib_dirs}/** w, + deny @{lib_dirs}/** w, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny /tmp/MozillaUpdateLock-* w, deny owner @{HOME}/.* r, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index e74136146..f6efb83b0 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -7,12 +7,12 @@ abi , include -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} -@{firefox_config_dirs} = @{HOME}/.mozilla/ -@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ -@{exec_path} = @{firefox_lib_dirs}/crashreporter +@{exec_path} = @{lib_dirs}/crashreporter profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include include @@ -33,21 +33,21 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{firefox_lib_dirs}/minidump-analyzer rPx, + @{lib_dirs}/minidump-analyzer rPx, @{bin}/mv rix, /usr/share/X11/xkb/** r, - owner "@{firefox_config_dirs}/firefox/Crash Reports/{,**}" rw, - owner @{firefox_config_dirs}/*.*/crashes/{,**} rw, - owner @{firefox_config_dirs}/*.*/crashes/events/@{uuid} rw, - owner @{firefox_config_dirs}/*.*/extensions/*.xpi r, - owner @{firefox_config_dirs}/*.*/minidumps/{,**} rw, - owner @{firefox_config_dirs}/*.*/minidumps//@{uuid}.{dmp,extra} r, - owner @{firefox_config_dirs}/*.*/storage/default/* r, + owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, + owner @{config_dirs}/*.*/crashes/{,**} rw, + owner @{config_dirs}/*.*/crashes/events/@{uuid} rw, + owner @{config_dirs}/*.*/extensions/*.xpi r, + owner @{config_dirs}/*.*/minidumps/{,**} rw, + owner @{config_dirs}/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/*.*/storage/default/* r, - owner @{firefox_cache_dirs}/firefox/*.*/** r, + owner @{cache_dirs}/firefox/*.*/** r, /tmp/ r, /var/tmp/ r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 4a637efeb..8cfaf2932 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -6,11 +6,11 @@ abi , include -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} -@{firefox_config_dirs} = @{HOME}/.mozilla/ +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ -@{exec_path} = @{firefox_lib_dirs}/glxtest +@{exec_path} = @{lib_dirs}/glxtest profile firefox-glxtest @{exec_path} { include include @@ -23,7 +23,7 @@ profile firefox-glxtest @{exec_path} { @{exec_path} mr, - owner @{firefox_config_dirs}/firefox/*/.parentlock rw, + owner @{config_dirs}/firefox/*/.parentlock rw, owner /tmp/firefox/.parentlock rw, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index dc725f3fc..9ef98bd8e 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -9,12 +9,12 @@ include @{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} -@{firefox_config_dirs} = @{HOME}/.mozilla/ -@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ -@{exec_path} = @{firefox_lib_dirs}/minidump-analyzer +@{exec_path} = @{lib_dirs}/minidump-analyzer profile firefox-minidump-analyzer @{exec_path} { include @@ -24,15 +24,15 @@ profile firefox-minidump-analyzer @{exec_path} { owner @{HOME}/.xsession-errors w, - owner "@{firefox_config_dirs}/firefox/Crash Reports/" rw, - owner "@{firefox_config_dirs}/firefox/Crash Reports/pending/" rw, - owner "@{firefox_config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, - owner @{firefox_config_dirs}/*.*/extensions/*.xpi r, - owner @{firefox_config_dirs}/*.*/minidumps/ rw, - owner @{firefox_config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw, - owner @{firefox_config_dirs}/*.*/storage/default/* r, + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/pending/" rw, + owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, + owner @{config_dirs}/*.*/extensions/*.xpi r, + owner @{config_dirs}/*.*/minidumps/ rw, + owner @{config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw, + owner @{config_dirs}/*.*/storage/default/* r, - owner @{firefox_cache_dirs}/firefox/*.*/startupCache/*Cache* r, + owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r, owner /tmp/@{hex}.{dmp,extra} rw, owner /tmp/firefox/.parentlock w, diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 9fa705aff..3092250d8 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -7,11 +7,11 @@ abi , include -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name}/ /opt/@{firefox_name}/ -@{firefox_config_dirs} = @{HOME}/.mozilla/ +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name}/ /opt/@{name}/ +@{config_dirs} = @{HOME}/.mozilla/ -@{exec_path} = @{firefox_lib_dirs}/pingsender +@{exec_path} = @{lib_dirs}/pingsender profile firefox-pingsender @{exec_path} { include include @@ -25,7 +25,7 @@ profile firefox-pingsender @{exec_path} { @{exec_path} mr, - owner @{firefox_config_dirs}/firefox/*.*/saved-telemetry-pings/@{uuid} rw, + owner @{config_dirs}/firefox/*.*/saved-telemetry-pings/@{uuid} rw, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container index dd4590b97..c976c07ca 100644 --- a/apparmor.d/groups/browsers/firefox-plugin-container +++ b/apparmor.d/groups/browsers/firefox-plugin-container @@ -7,10 +7,10 @@ abi , include -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} -@{exec_path} = @{firefox_lib_dirs}/plugin-container +@{exec_path} = @{lib_dirs}/plugin-container profile firefox-plugin-container @{exec_path} { include diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 7c5fb559f..74761a2bf 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -6,11 +6,11 @@ abi , include -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} -@{firefox_config_dirs} = @{HOME}/.mozilla/ +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ -@{exec_path} = @{firefox_lib_dirs}/vaapitest +@{exec_path} = @{lib_dirs}/vaapitest profile firefox-vaapitest @{exec_path} { include include @@ -25,8 +25,8 @@ profile firefox-vaapitest @{exec_path} { /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, - deny owner @{firefox_config_dirs}/firefox/*/.parentlock rw, - deny owner @{firefox_config_dirs}/firefox/*/startupCache/** r, + deny owner @{config_dirs}/firefox/*/.parentlock rw, + deny owner @{config_dirs}/firefox/*/startupCache/** r, deny owner @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r, owner /tmp/firefox/.parentlock rw, diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index f597aa028..86a004da9 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -7,22 +7,22 @@ abi , include -@{chromium_name} = opera{,-beta,-developer} -@{chromium_domain} = com.opera.Opera -@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name} -@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} -@{chromium_cache_dirs} = @{user_cache_dirs}/@{chromium_name} +@{name} = opera{,-beta,-developer} +@{domain} = com.opera.Opera +@{lib_dirs} = @{lib}/@{multiarch}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} -@{exec_path} = @{chromium_lib_dirs}/@{chromium_name} +@{exec_path} = @{lib_dirs}/@{name} profile opera @{exec_path} { include include @{exec_path} mrix, - @{chromium_lib_dirs}/opera_autoupdate krix, - @{chromium_lib_dirs}/opera_crashreporter rPx, - @{chromium_lib_dirs}/opera-sandbox rPx, + @{lib_dirs}/opera_autoupdate krix, + @{lib_dirs}/opera_crashreporter rPx, + @{lib_dirs}/opera-sandbox rPx, /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr, /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr, diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 9751debab..aa57e53ba 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -7,11 +7,11 @@ abi , include -@{chromium_name} = opera{,-beta,-developer} -@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name} -@{chromium_config_dirs} = @{user_config_dirs}/@{chromium_name} +@{name} = opera{,-beta,-developer} +@{lib_dirs} = @{lib}/@{multiarch}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} -@{exec_path} = @{chromium_lib_dirs}/opera_crashreporter +@{exec_path} = @{lib_dirs}/opera_crashreporter profile opera-crashreporter @{exec_path} { include include @@ -25,9 +25,9 @@ profile opera-crashreporter @{exec_path} { @{exec_path} mr, - owner @{chromium_config_dirs}/crash_count.txt rwk, - owner @{chromium_config_dirs}/GPUCache/data_* r, - owner @{chromium_config_dirs}/GPUCache/index r, + owner @{config_dirs}/crash_count.txt rwk, + owner @{config_dirs}/GPUCache/data_* r, + owner @{config_dirs}/GPUCache/index r, owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox index 7535b3f89..211bd8e38 100644 --- a/apparmor.d/groups/browsers/opera-sandbox +++ b/apparmor.d/groups/browsers/opera-sandbox @@ -6,10 +6,10 @@ abi , include -@{chromium_name} = opera{,-beta,-developer} -@{chromium_lib_dirs} = @{lib}/@{multiarch}/@{chromium_name} +@{name} = opera{,-beta,-developer} +@{lib_dirs} = @{lib}/@{multiarch}/@{name} -@{exec_path} = @{chromium_lib_dirs}/opera_sandbox +@{exec_path} = @{lib_dirs}/opera_sandbox profile opera-sandbox @{exec_path} { include include @@ -25,7 +25,7 @@ profile opera-sandbox @{exec_path} { @{exec_path} mr, - @{chromium_lib_dirs}/opera{,-beta,-developer} rPx, + @{lib_dirs}/opera{,-beta,-developer} rPx, @{PROC} r, @{PROC}/@{pids}/ r,