diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 7294daab5..50de5882c 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -30,4 +30,7 @@ # Xwayland owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, + /etc/X11/cursors/{,**} r, + /usr/share/X11/{,**} r, + include if exists diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 766539bf6..167265c0d 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -9,7 +9,8 @@ abi , include -@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} +@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} +@{MOZ_LIBDIR} += /opt/firefox{,-esr} @{MOZ_HOMEDIR} = @{HOME}/.mozilla @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr} profile firefox @{exec_path} flags=(attach_disconnected) { @@ -31,6 +32,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include + include + include + include capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 @@ -46,6 +50,76 @@ profile firefox @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + dbus (send) bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus), + + dbus (send) bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus (send) bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=:*), + + dbus (receive) bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=SettingChanged + peer=(name=:*), + + dbus (send) bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member={GetAll,Read} + peer=(name=:*), + + dbus (send) bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=EnumerateDevices + peer=(name=org.freedesktop.UPower), + + dbus (send) bus=session path=/org/freedesktop/PowerManagement/Inhibit + interface=org.freedesktop.PowerManagement.Inhibit + member=Inhibit + peer=(name=org.freedesktop.PowerManagement), + + dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]* + member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID} + peer=(name=org.freedesktop.RealtimeKit[0-9]*), + + dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="{org.freedesktop.DBus,:*}"), + + dbus (receive) bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Playlists + member=GetPlaylists + peer=(name=:*), + + dbus (receive) bus=system path=/org/freedesktop/login[0-9]* + interface=org.freedesktop.login[0-9]*.Manager + member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown} + peer=(name=:*), + + dbus (send) bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=GetTreeFromDevice + peer=(name=:*), + + dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={IsSupported,VolumeAdded,VolumeRemoved,VolumeChanged} + peer=(name=:*), + + dbus (bind) bus=session + name=org.mpris.MediaPlayer2.firefox.*, + + dbus (bind) bus=session + name=org.mozilla.firefox.*, + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, @@ -59,8 +133,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{libexec}/gvfsd-metadata rPx, /{usr/,}bin/browserpass rPx, - /{usr/,}bin/gpa rPUx, - /{usr/,}bin/keepassxc-proxy rPUx, + /{usr/,}bin/gpa rPx, + /{usr/,}bin/keepassxc-proxy rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/update-mime-database rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, @@ -81,6 +155,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/vlc rPx, /{usr/,}bin/xarchiver rPx, + /{usr/,}bin/evince rPx, /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/mozilla/plugins/ r, @@ -88,13 +163,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, - /usr/share/firefox/{,**} r, + /usr/share/firefox{,-esr}/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/firefox/{,**} r, + /etc/firefox{,-esr}/{,**} r, /etc/fstab r, /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, @@ -103,8 +178,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/opensc.conf r, /etc/xul-ext/kwallet5.js r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + # Ubuntu + /etc/gnome/*.list r, + /etc/xfce4/*.list r, + /usr/share/xfce4/applications/{,*.list} r, + /usr/share/*ubuntu/applications/{,*.list} r, owner @{HOME}/ r, @@ -130,14 +208,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/ r, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, + owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw, /var/tmp/ r, /tmp/ r, owner /tmp/* rw, owner /tmp/firefox_*/ rw, owner /tmp/firefox_*/* rwk, - owner /tmp/firefox/ rw, - owner /tmp/firefox/* rwk, + owner /tmp/firefox{,-esr}/ rw, + owner /tmp/firefox{,-esr}/* rwk, owner /tmp/mozilla_*/ rw, owner /tmp/mozilla_*/* rw, owner /tmp/Temp-*/ rw, @@ -154,7 +233,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/devices/system/cpu/possible r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/system/cpu/present r, @@ -171,6 +249,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{PROC}/@{pid}/smaps r, deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/statm r, @@ -189,10 +268,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) { deny /dev/shm/ r, # Silencer - deny /{usr/,}lib/firefox/** w, + deny @{MOZ_LIBDIR}/** w, deny capability sys_ptrace, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{HOME}/.* r, + deny /tmp/MozillaUpdateLock-* w, profile open { include @@ -203,7 +283,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,m,g}awk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, @@ -221,6 +301,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/viewnior rPUx, /{usr/,}bin/vlc rPx, /{usr/,}bin/xarchiver rPx, + /{usr/,}bin/evince rPx, /usr/share/xfce4/exo/exo-compose-mail rPx, owner @{HOME}/ r, @@ -230,6 +311,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # file_inherit owner @{HOME}/.xsession-errors w, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 6d73f41af..500b0cf12 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,6 +10,7 @@ include profile engrampa @{exec_path} { include include + include include include include @@ -17,6 +18,47 @@ profile engrampa @{exec_path} { include include include + include + include + include + include + + unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*), + + dbus (send) bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member={Change,Notify} + peer=(name=ca.desrt.dconf), + + dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor + interface=org.gtk.Private.RemoteVolumeMonitor + member={IsSupported,List} + peer=(name=:*), + + dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + + dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name=:*), + + dbus (send) bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={ListMounts2,LookupMount} + peer=(name=:*), + + dbus (receive) bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=Mounted + peer=(name=:*), + + dbus (send) bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*), @{exec_path} mr, @@ -69,9 +111,18 @@ profile engrampa @{exec_path} { /usr/share/**.desktop r, /usr/share/**/icons/**.png r, + /etc/magic r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/magic r, + # gnome-tiny + @{run}/mount/utab r, + + # Ubuntu + /etc/gnome/*.list r, + /etc/xfce4/*.list r, + /usr/share/xfce4/applications/{,*.list} r, + /usr/share/xubuntu/applications/{,*.list} r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, @@ -83,13 +134,13 @@ profile engrampa @{exec_path} { # Allowed apps to open /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/viewnior rPUx, /{usr/,}bin/spacefm rPx, + /{usr/,}bin/ristretto rPUx, # file_inherit owner /dev/tty[0-9]* rw, - profile open { include include @@ -109,12 +160,13 @@ profile engrampa @{exec_path} { # Allowed apps to open /{usr/,}bin/engrampa rPx, /{usr/,}bin/geany rPx, - /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/viewnior rPUx, /{usr/,}bin/spacefm rPx, # file_inherit owner @{HOME}/.xsession-errors w, + include if exists } include if exists