2
# ------------------------------------------------------------------
4
# Copyright (C) 2009-2011 Canonical Ltd.
6
# This program is free software; you can redistribute it and/or
7
# modify it under the terms of version 2 of the GNU General Public
8
# License published by the Free Software Foundation.
10
# ------------------------------------------------------------------
12
#include <tunables/global>
14
# We want to confine the binaries that match:
15
# /usr/lib/firefox-4.0b8/firefox
16
# /usr/lib/firefox-4.0b8/firefox
18
# /usr/lib/firefox-4.0b8/firefox.sh
19
/usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
20
#include <abstractions/audio>
21
#include <abstractions/cups-client>
22
#include <abstractions/dbus-session>
23
#include <abstractions/gnome>
24
#include <abstractions/ibus>
25
#include <abstractions/kde>
26
#include <abstractions/nameservice>
31
@{PROC}/[0-9]*/net/if_inet6 r,
32
@{PROC}/[0-9]*/net/ipv6_route r,
34
# should maybe be in abstractions
35
/usr/share/xubuntu/applications/defaults.list r,
41
/etc/wildmidi/wildmidi.cfg r,
46
/etc/xulrunner{,-[0-9]*}/** r,
52
deny /usr/lib/firefox{,-[0-9]*}/** w,
53
deny /usr/lib/{firefox,xulrunner}-addons/** w,
54
deny /usr/lib/xulrunner-*/components/*.tmp w,
56
deny /boot/initrd.img* r,
57
deny /boot/vmlinuz* r,
58
deny /var/cache/fontconfig/ w,
60
deny /usr/bin/gconftool-2 x,
62
# These are needed when a new user starts firefox and firefox.sh is used
63
/usr/lib/firefox{,-[0-9]*}/** ixr,
64
deny /usr/lib/firefox/firefox.sh x,
65
/usr/bin/basename ixr,
71
@{PROC}/[0-9]*/cmdline r,
72
@{PROC}/[0-9]*/mountinfo r,
73
@{PROC}/[0-9]*/stat r,
74
@{PROC}/[0-9]*/status r,
79
# Needed for the crash reporter
80
owner @{PROC}/[0-9]*/environ r,
81
owner @{PROC}/[0-9]*/auxv r,
85
# Needed for container to work in xul builds
86
/usr/lib/xulrunner-*/plugin-container ixr,
88
# Make browsing directories work
92
# allow access to documentation and other files the user may want to look
94
/usr/{include,share,src}/** r,
96
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
98
owner @{HOME}/Public/ r,
99
owner @{HOME}/Public/** r,
100
owner @{HOME}/Downloads/ r,
101
owner @{HOME}/Downloads/** rw,
102
owner @{HOME}/.thumbnails/*/*.png r,
104
# per-user firefox configuration
105
owner @{HOME}/.{firefox,mozilla}/ rw,
106
owner @{HOME}/.{firefox,mozilla}/** rw,
107
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
108
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
109
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
110
owner @{HOME}/.gnome2/firefox*-bin-* rw,
114
# /usr/share/.../extensions/... is already covered by '/usr/.../** r', above.
115
# Allow 'x' for downloaded extensions, but inherit policy for safety
116
owner @{HOME}/.mozilla/**/extensions/** mixr,
118
deny /usr/lib/firefox{,-[0-9]*}/update.test w,
119
deny /usr/lib/mozilla/extensions/**/ w,
120
deny /usr/lib/xulrunner-addons/extensions/**/ w,
121
deny /usr/share/mozilla/extensions/**/ w,
122
deny /usr/share/mozilla/ w,
124
# Site-specific additions and overrides. See local/README for details.
125
# Local path is disabled, we only enable them for profiles we promote
127
## include <local/usr.bin.firefox>