2
# Author: Jamie Strandboge <jamie@canonical.com>
4
# Declare an apparmor variable to help with overrides
5
@{MOZ_LIBDIR}=@MOZ_LIBDIR@
7
#include <tunables/global>
9
# We want to confine the binaries that match:
10
# @MOZ_LIBDIR@/@MOZ_APP_NAME@
11
# @MOZ_LIBDIR@/firefox
13
# @MOZ_LIBDIR@/firefox.sh
14
@MOZ_LIBDIR@/firefox{,*[^s][^h]} {
15
#include <abstractions/audio>
16
#include <abstractions/cups-client>
17
#include <abstractions/dbus-session>
18
#include <abstractions/gnome>
19
#include <abstractions/nameservice>
22
#include <abstractions/ubuntu-browsers.d/firefox>
27
@{PROC}/[0-9]*/net/if_inet6 r,
28
@{PROC}/[0-9]*/net/ipv6_route r,
30
# should maybe be in abstractions
34
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
35
/usr/share/xubuntu/applications/defaults.list r,
36
owner @{HOME}/.local/share/applications/defaults.list r,
37
owner @{HOME}/.local/share/applications/mimeapps.list r,
38
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
44
/etc/wildmidi/wildmidi.cfg r,
50
/etc/xulrunner-2.0*/ r,
51
/etc/xulrunner-2.0*/** r,
56
deny @{MOZ_LIBDIR}/** w,
57
deny /usr/lib/@MOZ_APP_NAME@-addons/** w,
58
deny /usr/lib/xulrunner-addons/** w,
59
deny /usr/lib/xulrunner-*/components/*.tmp w,
61
deny /boot/initrd.img* r,
62
deny /boot/vmlinuz* r,
63
deny /var/cache/fontconfig/ w,
64
deny @{HOME}/.local/share/recently-used.xbel r,
67
deny /usr/bin/gconftool-2 x,
69
# These are needed when a new user starts firefox and firefox.sh is used
71
/usr/bin/basename ixr,
78
@{PROC}/[0-9]*/cmdline r,
79
@{PROC}/[0-9]*/mountinfo r,
80
@{PROC}/[0-9]*/stat r,
81
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
82
@{PROC}/[0-9]*/status r,
83
@{PROC}/filesystems r,
84
owner @{HOME}/.thumbnails/*/*.png r,
89
# Needed for the crash reporter
90
owner @{PROC}/[0-9]*/environ r,
91
owner @{PROC}/[0-9]*/auxv r,
94
/sys/devices/system/cpu/ r,
95
/sys/devices/system/cpu/** r,
97
# Needed for container to work in xul builds
98
/usr/lib/xulrunner-*/plugin-container ixr,
100
# allow access to documentation and other files the user may want to look
105
# so browsing directories works
109
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
111
owner @{HOME}/Public/ r,
112
owner @{HOME}/Public/* r,
113
owner @{HOME}/Downloads/ r,
114
owner @{HOME}/Downloads/* rw,
116
# per-user firefox configuration
117
owner @{HOME}/.{firefox,mozilla}/ rw,
118
owner @{HOME}/.{firefox,mozilla}/** rw,
119
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
120
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
121
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
122
owner @{HOME}/.config/ibus/bus/ w,
123
owner @{HOME}/.gnome2/firefox*-bin-* rw,
127
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
128
# Allow 'x' for downloaded extensions, but inherit policy for safety
129
owner @{HOME}/.mozilla/**/extensions/** mixr,
131
deny @{MOZ_LIBDIR}/update.test w,
132
deny /usr/lib/mozilla/extensions/**/ w,
133
deny /usr/lib/xulrunner-addons/extensions/**/ w,
134
deny /usr/share/mozilla/extensions/**/ w,
135
deny /usr/share/mozilla/ w,
137
# Miscellaneous (to be abstracted)
138
/usr/bin/mkfifo Uxr, # TODO: investigate
139
/bin/ps Uxr, # TODO: child profile
140
/bin/uname Uxr, # TODO: child profile
142
# Site-specific additions and overrides. See local/README for details.
143
#include <local/usr.bin.firefox>