initial
This commit is contained in:
nobodysu
parent
a2fa2421cb
commit
c9acd76825
3 changed files with 153 additions and 16 deletions
|
|
@ -30,4 +30,7 @@
|
|||
# Xwayland
|
||||
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
|
||||
|
||||
/etc/X11/cursors/{,**} r,
|
||||
/usr/share/X11/{,**} r,
|
||||
|
||||
include if exists <abstractions/X-strict.d>
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
|
||||
@{MOZ_LIBDIR} += /opt/firefox{,-esr}
|
||||
@{MOZ_HOMEDIR} = @{HOME}/.mozilla
|
||||
@{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
|
||||
profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||
|
|
@ -31,6 +32,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/user-read>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-gtk>
|
||||
|
||||
capability sys_admin, # If kernel.unprivileged_userns_clone = 1
|
||||
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
|
||||
|
|
@ -46,6 +50,76 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
dbus (send) bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={RequestName,ReleaseName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus (send) bus=session path=/ScreenSaver
|
||||
interface=org.freedesktop.ScreenSaver
|
||||
member={Inhibit,UnInhibit}
|
||||
peer=(name=org.freedesktop.ScreenSaver),
|
||||
|
||||
dbus (send) bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=Read
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (receive) bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.portal.Settings
|
||||
member=SettingChanged
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send) bus=session path=/org/freedesktop/portal/desktop
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,Read}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/UPower
|
||||
interface=org.freedesktop.UPower
|
||||
member=EnumerateDevices
|
||||
peer=(name=org.freedesktop.UPower),
|
||||
|
||||
dbus (send) bus=session path=/org/freedesktop/PowerManagement/Inhibit
|
||||
interface=org.freedesktop.PowerManagement.Inhibit
|
||||
member=Inhibit
|
||||
peer=(name=org.freedesktop.PowerManagement),
|
||||
|
||||
dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]*
|
||||
member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID}
|
||||
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
|
||||
|
||||
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,PropertiesChanged}
|
||||
peer=(name="{org.freedesktop.DBus,:*}"),
|
||||
|
||||
dbus (receive) bus=session path=/org/mpris/MediaPlayer2
|
||||
interface=org.mpris.MediaPlayer2.Playlists
|
||||
member=GetPlaylists
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (receive) bus=system path=/org/freedesktop/login[0-9]*
|
||||
interface=org.freedesktop.login[0-9]*.Manager
|
||||
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send) bus=session path=/org/gtk/vfs/metadata
|
||||
interface=org.gtk.vfs.Metadata
|
||||
member=GetTreeFromDevice
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={IsSupported,VolumeAdded,VolumeRemoved,VolumeChanged}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (bind) bus=session
|
||||
name=org.mpris.MediaPlayer2.firefox.*,
|
||||
|
||||
dbus (bind) bus=session
|
||||
name=org.mozilla.firefox.*,
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
|
|
@ -59,8 +133,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{libexec}/gvfsd-metadata rPx,
|
||||
/{usr/,}bin/browserpass rPx,
|
||||
/{usr/,}bin/gpa rPUx,
|
||||
/{usr/,}bin/keepassxc-proxy rPUx,
|
||||
/{usr/,}bin/gpa rPx,
|
||||
/{usr/,}bin/keepassxc-proxy rPx,
|
||||
/{usr/,}bin/lsb_release rPx -> lsb_release,
|
||||
/{usr/,}bin/update-mime-database rPx,
|
||||
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
|
||||
|
|
@ -81,6 +155,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/viewnior rPUx,
|
||||
/{usr/,}bin/vlc rPx,
|
||||
/{usr/,}bin/xarchiver rPx,
|
||||
/{usr/,}bin/evince rPx,
|
||||
|
||||
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
|
||||
/{usr/,}lib/mozilla/plugins/ r,
|
||||
|
|
@ -88,13 +163,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/doc/{,**} r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/firefox/{,**} r,
|
||||
/usr/share/firefox{,-esr}/{,**} r,
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
/usr/share/mozilla/extensions/{,**} r,
|
||||
/usr/share/webext/{,**} r,
|
||||
/usr/share/xul-ext/kwallet5/* r,
|
||||
|
||||
/etc/firefox/{,**} r,
|
||||
/etc/firefox{,-esr}/{,**} r,
|
||||
/etc/fstab r,
|
||||
/etc/igfx_user_feature{,_next}.txt w,
|
||||
/etc/libva.conf r,
|
||||
|
|
@ -103,8 +178,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/opensc.conf r,
|
||||
/etc/xul-ext/kwallet5.js r,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
# Ubuntu
|
||||
/etc/gnome/*.list r,
|
||||
/etc/xfce4/*.list r,
|
||||
/usr/share/xfce4/applications/{,*.list} r,
|
||||
/usr/share/*ubuntu/applications/{,*.list} r,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
||||
|
|
@ -130,14 +208,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
|
||||
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
|
||||
owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw,
|
||||
|
||||
/var/tmp/ r,
|
||||
/tmp/ r,
|
||||
owner /tmp/* rw,
|
||||
owner /tmp/firefox_*/ rw,
|
||||
owner /tmp/firefox_*/* rwk,
|
||||
owner /tmp/firefox/ rw,
|
||||
owner /tmp/firefox/* rwk,
|
||||
owner /tmp/firefox{,-esr}/ rw,
|
||||
owner /tmp/firefox{,-esr}/* rwk,
|
||||
owner /tmp/mozilla_*/ rw,
|
||||
owner /tmp/mozilla_*/* rw,
|
||||
owner /tmp/Temp-*/ rw,
|
||||
|
|
@ -154,7 +233,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
|
||||
@{sys}/devices/pci[0-9]*/**/irq r,
|
||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
|
||||
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
|
||||
deny @{sys}/devices/system/cpu/present r,
|
||||
|
|
@ -171,6 +249,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
|
||||
owner @{PROC}/@{pid}/task/ r,
|
||||
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
deny owner @{PROC}/@{pid}/smaps r,
|
||||
deny owner @{PROC}/@{pid}/stat r,
|
||||
deny owner @{PROC}/@{pid}/statm r,
|
||||
|
|
@ -189,10 +268,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
deny /dev/shm/ r,
|
||||
|
||||
# Silencer
|
||||
deny /{usr/,}lib/firefox/** w,
|
||||
deny @{MOZ_LIBDIR}/** w,
|
||||
deny capability sys_ptrace,
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||
deny owner @{HOME}/.* r,
|
||||
deny /tmp/MozillaUpdateLock-* w,
|
||||
|
||||
profile open {
|
||||
include <abstractions/base>
|
||||
|
|
@ -203,7 +283,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
|
||||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/gawk rix,
|
||||
/{usr/,}bin/{,m,g}awk rix,
|
||||
/{usr/,}bin/readlink rix,
|
||||
/{usr/,}bin/basename rix,
|
||||
|
||||
|
|
@ -221,6 +301,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/viewnior rPUx,
|
||||
/{usr/,}bin/vlc rPx,
|
||||
/{usr/,}bin/xarchiver rPx,
|
||||
/{usr/,}bin/evince rPx,
|
||||
/usr/share/xfce4/exo/exo-compose-mail rPx,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
|
@ -230,6 +311,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
|||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/firefox_open>
|
||||
}
|
||||
|
||||
include if exists <local/firefox>
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile engrampa @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/X-strict>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
|
|
@ -17,6 +18,47 @@ profile engrampa @{exec_path} {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/dbus-accessibility-strict>
|
||||
include <abstractions/dbus-gtk>
|
||||
include <abstractions/ibus>
|
||||
|
||||
unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
|
||||
|
||||
dbus (send) bus=session path=/ca/desrt/dconf/Writer/user
|
||||
interface=ca.desrt.dconf.Writer
|
||||
member={Change,Notify}
|
||||
peer=(name=ca.desrt.dconf),
|
||||
|
||||
dbus (send) bus=session path=/org/gtk/Private/RemoteVolumeMonitor
|
||||
interface=org.gtk.Private.RemoteVolumeMonitor
|
||||
member={IsSupported,List}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.a11y.atspi.Socket
|
||||
member=Embed
|
||||
peer=(name=org.a11y.atspi.Registry),
|
||||
|
||||
dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Set
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send) bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member={ListMounts2,LookupMount}
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (receive) bus=session path=/org/gtk/vfs/mounttracker
|
||||
interface=org.gtk.vfs.MountTracker
|
||||
member=Mounted
|
||||
peer=(name=:*),
|
||||
|
||||
dbus (send) bus=session path=/org/gtk/vfs/Daemon
|
||||
interface=org.gtk.vfs.Daemon
|
||||
member=GetConnection
|
||||
peer=(name=:*),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -69,9 +111,18 @@ profile engrampa @{exec_path} {
|
|||
/usr/share/**.desktop r,
|
||||
/usr/share/**/icons/**.png r,
|
||||
|
||||
/etc/magic r,
|
||||
|
||||
/usr/share/glib-2.0/schemas/gschemas.compiled r,
|
||||
|
||||
/etc/magic r,
|
||||
# gnome-tiny
|
||||
@{run}/mount/utab r,
|
||||
|
||||
# Ubuntu
|
||||
/etc/gnome/*.list r,
|
||||
/etc/xfce4/*.list r,
|
||||
/usr/share/xfce4/applications/{,*.list} r,
|
||||
/usr/share/xubuntu/applications/{,*.list} r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
@ -85,11 +136,11 @@ profile engrampa @{exec_path} {
|
|||
/{usr/,}bin/geany rPx,
|
||||
/{usr/,}bin/viewnior rPUx,
|
||||
/{usr/,}bin/spacefm rPx,
|
||||
/{usr/,}bin/ristretto rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner /dev/tty[0-9]* rw,
|
||||
|
||||
|
||||
profile open {
|
||||
include <abstractions/base>
|
||||
include <abstractions/xdg-open>
|
||||
|
|
@ -115,6 +166,7 @@ profile engrampa @{exec_path} {
|
|||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
include if exists <local/engrampa_open>
|
||||
}
|
||||
|
||||
include if exists <local/engrampa>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue