felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/browsers/firefox
Alexandre Pujol 0fccbef52b
feat(profile): improve firefox profiles.
2025-08-24 22:06:34 +02:00

84 lines
3.5 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2015-2022 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{name} = firefox{,-esr,-bin}
@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name}
@{config_dirs} = @{HOME}/.mozilla/
@{cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app/firefox>
include <abstractions/user-download-strict>
include <abstractions/user-read-strict>
signal send set=(term, kill) peer=firefox//&keepassxc-proxy,
unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int},
unix type=seqpacket peer=(label=firefox-crashhelper),
#aa:dbus own bus=session name=org.mozilla.firefox
#aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2
@{exec_path} mrix,
@{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper,
@{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest,
@{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest,
@{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr,
@{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
@{lib}/mozilla/plugins/ r,
@{lib}/mozilla/plugins/*.so mr,
# Desktop integration
@{bin}/gnome-software rPx,
@{bin}/kreadconfig{,5} rPx,
@{bin}/plasma-browser-integration-host rPx,
@{bin}/speech-dispatcher rPx,
@{bin}/update-mime-database rPx,
@{lib}/gvfsd-metadata rPx,
@{lib}/mozilla/kmozillahelper rPUx,
@{open_path} rPx -> child-open,
# Common extensions
@{bin}/browserpass rPx,
@{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy,
@{lib}/browserpass/browserpass-native rPx,
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
owner @{user_config_dirs}/ibus/bus/ r,
owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
owner @{user_config_dirs}/kioslaverc r,
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
owner @{user_share_dirs}/applications/userapp-Firefox-@{rand6}.desktop{,.@{rand6}} rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
owner @{tmp}/.xfsm-ICE-@{rand6} rw,
owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere)
owner @{tmp}/@{uuid}.zip{,.tmp} rw,
owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk,
owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk,
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k,
owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,
owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk,
owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w,
# Silencer
deny @{lib_dirs}/** w,
include if exists <local/firefox>
}
# vim:syntax=apparmor
Reference in a new issue View git blame Copy permalink