|
1077.1.1
by Chris Coulson
* Refresh patches |
1 |
# vim:syntax=apparmor
|
2 |
# Author: Jamie Strandboge <jamie@canonical.com>
|
|
3 |
||
4 |
# Declare an apparmor variable to help with overrides
|
|
5 |
@{MOZ_LIBDIR}=/@MOZ_LIBDIR@ |
|
6 |
||
7 |
#include <tunables/global>
|
|
8 |
||
9 |
# We want to confine the binaries that match:
|
|
10 |
# /@MOZ_LIBDIR@/@MOZ_APP_NAME@
|
|
11 |
# /@MOZ_LIBDIR@/firefox
|
|
12 |
# but not:
|
|
13 |
# /@MOZ_LIBDIR@/firefox.sh
|
|
14 |
/@MOZ_LIBDIR@/firefox{,*[^s][^h]} { |
|
15 |
#include <abstractions/audio>
|
|
16 |
#include <abstractions/cups-client>
|
|
17 |
#include <abstractions/dbus-strict>
|
|
18 |
#include <abstractions/dbus-session-strict>
|
|
19 |
#include <abstractions/dconf>
|
|
20 |
#include <abstractions/gnome>
|
|
21 |
#include <abstractions/ibus>
|
|
22 |
#include <abstractions/nameservice>
|
|
|
1086.1.3
by Chris Coulson
update apparmor profiles to include the openssl abstraction |
23 |
#include <abstractions/openssl>
|
|
1077.1.1
by Chris Coulson
* Refresh patches |
24 |
#include <abstractions/p11-kit>
|
25 |
#include <abstractions/ubuntu-unity7-base>
|
|
26 |
#include <abstractions/ubuntu-unity7-launcher>
|
|
27 |
||
28 |
#include <abstractions/dbus-accessibility-strict>
|
|
29 |
dbus (send) |
|
30 |
bus=session |
|
31 |
peer=(name=org.a11y.Bus), |
|
32 |
dbus (receive) |
|
33 |
bus=session |
|
34 |
interface=org.a11y.atspi**, |
|
35 |
dbus (receive, send) |
|
36 |
bus=accessibility, |
|
37 |
||
38 |
# for networking
|
|
39 |
network inet stream, |
|
40 |
network inet6 stream, |
|
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
41 |
@{PROC}/[0-9]*/net/arp r, |
|
1077.1.1
by Chris Coulson
* Refresh patches |
42 |
@{PROC}/[0-9]*/net/if_inet6 r, |
43 |
@{PROC}/[0-9]*/net/ipv6_route r, |
|
44 |
@{PROC}/[0-9]*/net/dev r, |
|
45 |
@{PROC}/[0-9]*/net/wireless r, |
|
46 |
dbus (send) |
|
47 |
bus=system |
|
48 |
path=/org/freedesktop/NetworkManager |
|
49 |
member=state, |
|
50 |
dbus (receive) |
|
51 |
bus=system |
|
52 |
path=/org/freedesktop/NetworkManager, |
|
53 |
||
54 |
# should maybe be in abstractions
|
|
55 |
/etc/ r, |
|
56 |
/etc/mime.types r, |
|
57 |
/etc/mailcap r, |
|
58 |
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives |
|
59 |
/etc/xfce4/defaults.list r, |
|
60 |
/usr/share/xubuntu/applications/defaults.list r, |
|
61 |
owner @{HOME}/.local/share/applications/defaults.list r, |
|
62 |
owner @{HOME}/.local/share/applications/mimeapps.list r, |
|
63 |
owner @{HOME}/.local/share/applications/mimeinfo.cache r, |
|
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
64 |
/var/lib/snapd/desktop/applications/mimeinfo.cache r, |
65 |
/var/lib/snapd/desktop/applications/*.desktop r, |
|
|
1077.1.1
by Chris Coulson
* Refresh patches |
66 |
owner /tmp/** m, |
67 |
owner /var/tmp/** m, |
|
68 |
owner /{,var/}run/shm/shmfd-* rw, |
|
|
1231
by Chris Coulson
releasing package firefox version 63.0+build2-0ubuntu0.18.10.2 |
69 |
owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk, |
|
1077.1.1
by Chris Coulson
* Refresh patches |
70 |
/tmp/.X[0-9]*-lock r, |
71 |
/etc/udev/udev.conf r, |
|
72 |
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
|
|
73 |
# Possibly move to an abstraction if anything else needs it.
|
|
74 |
deny /run/udev/data/** r, |
|
75 |
# let the shell know we launched something
|
|
76 |
dbus (send) |
|
77 |
bus=session |
|
78 |
interface=org.gtk.gio.DesktopAppInfo |
|
79 |
member=Launched, |
|
80 |
||
81 |
/etc/timezone r, |
|
82 |
/etc/wildmidi/wildmidi.cfg r, |
|
83 |
||
84 |
# firefox specific
|
|
85 |
/etc/firefox*/ r, |
|
86 |
/etc/firefox*/** r, |
|
87 |
/etc/xul-ext/** r, |
|
88 |
/etc/xulrunner-2.0*/ r, |
|
89 |
/etc/xulrunner-2.0*/** r, |
|
90 |
/etc/gre.d/ r, |
|
91 |
/etc/gre.d/* r, |
|
92 |
||
93 |
# noisy
|
|
94 |
deny @{MOZ_LIBDIR}/** w, |
|
95 |
deny /@MOZ_ADDONDIR@/** w, |
|
96 |
deny /usr/lib/xulrunner-addons/** w, |
|
97 |
deny /usr/lib/xulrunner-*/components/*.tmp w, |
|
98 |
deny /.suspended r, |
|
99 |
deny /boot/initrd.img* r, |
|
100 |
deny /boot/vmlinuz* r, |
|
101 |
deny /var/cache/fontconfig/ w, |
|
102 |
deny @{HOME}/.local/share/recently-used.xbel r, |
|
103 |
||
104 |
# TODO: investigate
|
|
105 |
deny /usr/bin/gconftool-2 x, |
|
106 |
||
107 |
# These are needed when a new user starts firefox and firefox.sh is used
|
|
108 |
@{MOZ_LIBDIR}/** ixr, |
|
109 |
/usr/bin/basename ixr, |
|
110 |
/usr/bin/dirname ixr, |
|
111 |
/usr/bin/pwd ixr, |
|
112 |
/sbin/killall5 ixr, |
|
113 |
/bin/which ixr, |
|
114 |
/usr/bin/tr ixr, |
|
115 |
@{PROC}/ r, |
|
116 |
@{PROC}/[0-9]*/cmdline r, |
|
117 |
@{PROC}/[0-9]*/mountinfo r, |
|
118 |
@{PROC}/[0-9]*/stat r, |
|
119 |
owner @{PROC}/[0-9]*/task/[0-9]*/stat r, |
|
120 |
@{PROC}/[0-9]*/status r, |
|
121 |
@{PROC}/filesystems r, |
|
122 |
@{PROC}/sys/vm/overcommit_memory r, |
|
123 |
/sys/devices/pci[0-9]*/**/uevent r, |
|
124 |
/sys/devices/platform/**/uevent r, |
|
125 |
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r, |
|
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
126 |
/sys/devices/pci*/**/{,subsystem_}device r, |
127 |
/sys/devices/pci*/**/{,subsystem_}vendor r, |
|
128 |
/sys/devices/system/node/node[0-9]*/meminfo r, |
|
|
1077.1.1
by Chris Coulson
* Refresh patches |
129 |
owner @{HOME}/.cache/thumbnails/** rw, |
130 |
||
131 |
/etc/mtab r, |
|
132 |
/etc/fstab r, |
|
133 |
||
134 |
# Needed for the crash reporter
|
|
135 |
owner @{PROC}/[0-9]*/environ r, |
|
136 |
owner @{PROC}/[0-9]*/auxv r, |
|
137 |
/etc/lsb-release r, |
|
138 |
/usr/bin/expr ix, |
|
139 |
/sys/devices/system/cpu/ r, |
|
140 |
/sys/devices/system/cpu/** r, |
|
141 |
||
142 |
# about:memory
|
|
143 |
owner @{PROC}/[0-9]*/statm r, |
|
144 |
owner @{PROC}/[0-9]*/smaps r, |
|
145 |
||
146 |
# Needed for container to work in xul builds
|
|
147 |
/usr/lib/xulrunner-*/plugin-container ixr, |
|
148 |
||
149 |
# allow access to documentation and other files the user may want to look
|
|
150 |
# at in /usr and /opt
|
|
151 |
/usr/ r, |
|
152 |
/usr/** r, |
|
153 |
/opt/ r, |
|
154 |
/opt/** r, |
|
155 |
||
156 |
# so browsing directories works
|
|
157 |
/ r, |
|
158 |
/**/ r, |
|
159 |
||
160 |
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
|
|
161 |
owner @{HOME}/ r, |
|
162 |
owner @{HOME}/Public/ r, |
|
163 |
owner @{HOME}/Public/* r, |
|
164 |
owner @{HOME}/Downloads/ r, |
|
165 |
owner @{HOME}/Downloads/* rw, |
|
166 |
||
167 |
# per-user firefox configuration
|
|
168 |
owner @{HOME}/.{firefox,mozilla}/ rw, |
|
169 |
owner @{HOME}/.{firefox,mozilla}/** rw, |
|
170 |
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, |
|
171 |
owner @{HOME}/.{firefox,mozilla}/plugins/** rm, |
|
172 |
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm, |
|
173 |
owner @{HOME}/.gnome2/firefox* rwk, |
|
174 |
owner @{HOME}/.cache/mozilla/{,@MOZ_APP_NAME@/} rw, |
|
175 |
owner @{HOME}/.cache/mozilla/@MOZ_APP_NAME@/** rw, |
|
176 |
owner @{HOME}/.cache/mozilla/@MOZ_APP_NAME@/**/*.sqlite k, |
|
177 |
owner @{HOME}/.config/gtk-3.0/bookmarks r, |
|
178 |
owner @{HOME}/.config/dconf/user w, |
|
179 |
owner /{,var/}run/user/*/dconf/user w, |
|
180 |
dbus (send) |
|
181 |
bus=session |
|
182 |
path=/org/gnome/GConf/Server |
|
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
183 |
member=GetDefaultDatabase |
184 |
peer=(label=unconfined), |
|
|
1077.1.1
by Chris Coulson
* Refresh patches |
185 |
dbus (send) |
186 |
bus=session |
|
187 |
path=/org/gnome/GConf/Database/* |
|
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
188 |
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify} |
189 |
peer=(label=unconfined), |
|
190 |
dbus (send) |
|
191 |
bus=session |
|
192 |
path=/org/gtk/vfs/mounttracker |
|
193 |
interface=org.gtk.vfs.MountTracker |
|
194 |
member=ListMountableInfo |
|
195 |
peer=(label=unconfined), |
|
196 |
||
197 |
# gnome-session
|
|
198 |
dbus (send) |
|
199 |
bus=session |
|
200 |
path=/org/gnome/SessionManager |
|
201 |
interface=org.gnome.SessionManager |
|
202 |
member={Inhibit,Uninhibit} |
|
203 |
peer=(label=unconfined), |
|
204 |
||
205 |
# unity screen API
|
|
206 |
dbus (send) |
|
207 |
bus=system |
|
208 |
interface="org.freedesktop.DBus.Introspectable" |
|
209 |
path="/com/canonical/Unity/Screen" |
|
210 |
member="Introspect" |
|
211 |
peer=(label=unconfined), |
|
212 |
dbus (send) |
|
213 |
bus=system |
|
214 |
interface="com.canonical.Unity.Screen" |
|
215 |
path="/com/canonical/Unity/Screen" |
|
216 |
member={keepDisplayOn,removeDisplayOnRequest} |
|
217 |
peer=(label=unconfined), |
|
218 |
||
219 |
# freedesktop.org ScreenSaver
|
|
220 |
dbus (send) |
|
221 |
bus=session |
|
222 |
path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver |
|
223 |
interface=org.freedesktop.ScreenSaver |
|
224 |
member={Inhibit,UnInhibit,SimulateUserActivity} |
|
225 |
peer=(label=unconfined), |
|
226 |
||
227 |
# gnome, kde and cinnamon screensaver
|
|
228 |
dbus (send) |
|
229 |
bus=session |
|
230 |
path=/{,ScreenSaver} |
|
231 |
interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver} |
|
232 |
member=SimulateUserActivity |
|
233 |
peer=(label=unconfined), |
|
234 |
||
235 |
# UPower
|
|
236 |
dbus (send) |
|
237 |
bus=system |
|
238 |
path=/org/freedesktop/UPower |
|
239 |
interface=org.freedesktop.UPower |
|
240 |
member=EnumerateDevices |
|
241 |
peer=(label=unconfined), |
|
|
1077.1.1
by Chris Coulson
* Refresh patches |
242 |
|
243 |
#
|
|
244 |
# Extensions
|
|
245 |
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
|
|
246 |
# Allow 'x' for downloaded extensions, but inherit policy for safety
|
|
247 |
owner @{HOME}/.mozilla/**/extensions/** mixr, |
|
248 |
||
249 |
deny @{MOZ_LIBDIR}/update.test w, |
|
250 |
deny /usr/lib/mozilla/extensions/**/ w, |
|
251 |
deny /usr/lib/xulrunner-addons/extensions/**/ w, |
|
252 |
deny /usr/share/mozilla/extensions/**/ w, |
|
253 |
deny /usr/share/mozilla/ w, |
|
254 |
||
255 |
# Miscellaneous (to be abstracted)
|
|
256 |
# Ideally these would use a child profile. They are all ELF executables
|
|
257 |
# so running with 'Ux', while not ideal, is ok because we will at least
|
|
258 |
# benefit from glibc's secure execute.
|
|
259 |
/usr/bin/mkfifo Uxr, # investigate |
|
260 |
/bin/ps Uxr, |
|
261 |
/bin/uname Uxr, |
|
262 |
||
263 |
/usr/bin/lsb_release Cxr -> lsb_release, |
|
264 |
profile lsb_release { |
|
265 |
#include <abstractions/base>
|
|
266 |
#include <abstractions/python>
|
|
267 |
/usr/bin/lsb_release r, |
|
268 |
/bin/dash ixr, |
|
269 |
/usr/bin/dpkg-query ixr, |
|
270 |
/usr/include/python2.[4567]/pyconfig.h r, |
|
271 |
/etc/lsb-release r, |
|
272 |
/etc/debian_version r, |
|
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
273 |
/usr/share/distro-info/*.csv r, |
|
1077.1.1
by Chris Coulson
* Refresh patches |
274 |
/var/lib/dpkg/** r, |
275 |
||
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
276 |
/usr/local/lib/python3.[0-6]/dist-packages/ r, |
|
1077.1.1
by Chris Coulson
* Refresh patches |
277 |
/usr/bin/ r, |
|
1198
by Chris Coulson
* New upstream stable release (57.0.1build2) |
278 |
/usr/bin/python3.[0-6] mr, |
|
1077.1.1
by Chris Coulson
* Refresh patches |
279 |
|
280 |
# file_inherit
|
|
281 |
deny /tmp/gtalkplugin.log w, |
|
282 |
}
|
|
283 |
||
284 |
# Addons
|
|
285 |
#include <abstractions/ubuntu-browsers.d/firefox>
|
|
286 |
||
287 |
# Site-specific additions and overrides. See local/README for details.
|
|
288 |
#include <local/usr.bin.firefox>
|
|
289 |
}
|