firefox apparmor profile for opensuse 13.1

1. #include <tunables/global>
2.  
3. /usr/lib{,64}/firefox/firefox{,*[^s][^h]} {
4. #include <abstractions/base>
5. #include <abstractions/X>
6. #include <abstractions/audio>
7. #include <abstractions/cups-client>
8. #include <abstractions/dbus>
9. #include <abstractions/dbus-session>
10. #include <abstractions/gnome>
11. #include <abstractions/ibus>
12. #include <abstractions/nameservice>
13. #include <abstractions/p11-kit>
14.  
15. # base requirments
16. network inet stream,
17. network inet6 stream,
18.  
19. # proc entries
20. @{PROC}/ r,
21. @{PROC}/filesystems r,
22.  
23. owner @{PROC}/[0-9]*/net/if_inet6 r,
24. owner @{PROC}/[0-9]*/net/ipv6_route r,
25. owner @{PROC}/[0-9]*/net/dev r,
26. owner @{PROC}/[0-9]*/net/wireless r,
27. owner @{PROC}/[0-9]*/cmdline r,
28. owner @{PROC}/[0-9]*/mountinfo r,
29. owner @{PROC}/[0-9]*/stat r,
30. owner @{PROC}/[0-9]*/task/ r,
31. owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
32. owner @{PROC}/[0-9]*/status r,
33. owner @{PROC}/[0-9]*/statm r,
34. owner @{PROC}/[0-9]*/smaps r,
35. owner @{PROC}/[0-9]*/fd/ r,
36. owner @{PROC}/[0-9]*/fd/** r,
37. owner @{PROC}/[0-9]*/environ r,
38. owner @{PROC}/[0-9]*/auxv r,
39.  
40. # system wide configs
41. /etc/ r,
42. /etc/mime.types r,
43. /etc/mailcap r,
44. /etc/timezone r,
45. /etc/wildmidi/wildmidi.cfg r,
46. /etc/udev/udev.conf r,
47. /etc/mtab r,
48. /etc/fstab r,
49. /etc/lsb-release r,
50.  
51. # tmp and runtime configs access
52. owner /tmp/** m,
53. owner /var/tmp/** m,
54. owner /{,var/}run/**/xauthority r,
55. /tmp/.X[0-9]*-lock r,
56.  
57. # sysfs
58. /sys/devices/system/cpu/ r,
59. /sys/devices/system/cpu/** r,
60. /sys/devices/pci[0-9]*/**/uevent r,
61.  
62. # executables and extra shared libraries
63. /usr/lib{,64}/firefox/** ixr,
64. /usr/lib{,64}/libproxy-*/**.so m,
65. /usr/bin/ r,
66. /usr/bin/which ix,
67. /usr/bin/basename ix,
68. /usr/bin/dirname ix,
69. /usr/bin/pwd ix,
70. /sbin/killall5 ix,
71. /usr/bin/tr ix,
72. /usr/bin/expr ix,
73.  
74. #TODO:
75. /usr/bin/mkfifo Uxr,
76. /bin/ps Uxr,
77. /bin/uname Uxr,
78.  
79. # fonts
80. /usr/share/fontconfig/ r,
81. /usr/share/fontconfig/** r,
82. /usr/share/fonts-config/ r,
83. /usr/share/fonts-config/** r,
84. /usr/share/fonts/ r,
85. /usr/share/fonts/** r,
86. /usr/share/**/fonts/ r,
87. /usr/share/**/fonts/** r,
88. /usr/share/*-fonts/ r,
89. /usr/share/*-fonts/** r,
90.  
91. # locales ?
92. /usr/share/**/LC_MESSAGES/** r,
93.  
94. # spellcheck
95. /usr/share/myspell/ r,
96. /usr/share/myspell/** r,
97. /usr/share/hunspell/ r,
98. /usr/share/hunspell/** r,
99.  
100. # Needed for container to work in xul builds
101. /usr/lib{,64}/xulrunner-*/plugin-container ixr,
102.  
103. # per-user firefox configuration
104. owner @{HOME}/.{firefox,mozilla}/ rw,
105. owner @{HOME}/.{firefox,mozilla}/** rw,
106. owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
107. owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
108. owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
109. owner @{HOME}/.cache/mozilla/{,firefox/} rw,
110. owner @{HOME}/.cache/mozilla/firefox/** rw,
111. owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
112.  
113. #TODO: (firefox restricted with this profile already not able to effectively open files with applications from this configs)
114. owner @{HOME}/.local/share/applications/defaults.list r,
115. owner @{HOME}/.local/share/applications/mimeapps.list r,
116. owner @{HOME}/.local/share/applications/mimeinfo.cache r,
117. /var/cache/gio-*/gnome-defaults.list r,
118. owner @{HOME}/.config/gtk-3.0/bookmarks r,
119.  
120. # other user files
121. # owner @{HOME}/.thumbnails/*/*.png r,
122.  
123. # Extensions
124. owner @{HOME}/.mozilla/**/extensions/** mixr,
125. /usr/share/mozilla/extensions/** ixr,
126.  
127. ####################
128. # exta definitions #
129. ####################
130.  
131. # browsing root (not the subdirs)
132. / r,
133.  
134. # browsing home dir
135. # owner @{HOME}/ r,
136.  
137. # allow downloads to /mnt/downloads/
138. /mnt/ r,
139. /mnt/downloads/ r,
140. /mnt/downloads/** rw,
141.  
142. # flashgot extension+wget, using xterm (urxwt will be denied)
143. /bin/bash ix,
144. /bin/sh ix,
145. /usr/bin/wget ixr,
146. /usr/bin/xterm ixr,
147. /usr/lib{,64}/utempter/utempter ixr,
148. /dev/pts/** rw,
149. /dev/tty rw,
150. /dev/ptmx rw,
151. /var/run/utmp rwk,
152. /var/log/wtmp rwk,
153. /etc/wgetrc r,
154. /etc/ssl/ r,
155. /etc/ssl/** r,
156. /usr/share/terminfo/** r,
157. /var/cache/libx11/compose/** r,
158.  
159. # multimedia and flash player with freshwapper
160. /usr/lib{,64}/gstreamer-*/gst-plugin-scanner Ux,
161. owner @{HOME}/.config/pulse/** r,
162. owner @{HOME}/.gstreamer-*/ rw,
163. owner @{HOME}/.gstreamer-*/** rw,
164. /sys/devices/pci[0-9]*/**/config r,
165. /etc/freshwrapper.conf r,
166. /etc/vdpau_wrapper.cfg r,
167. owner @{HOME}/.config/freshwrapper-data/ rw,
168. owner @{HOME}/.config/freshwrapper-data/** rw,
169.  
170. # TODO:
171. deny /usr/lib{,64}/firefox/update.test w,
172. deny /usr/lib{,64}/mozilla/extensions/**/ w,
173. deny /usr/lib{,64}/xulrunner-addons/extensions/**/ w,
174. deny /usr/share/mozilla/extensions/**/ w,
175. deny /usr/share/mozilla/ w,
176. deny /run/udev/data/** r,
177. deny /usr/lib{,64}/firefox/** w,
178. deny /usr/lib{,64}/xulrunner-*/** w,
179. deny /.suspended r,
180. deny /boot/initrd* r,
181. deny /boot/vmlinuz* r,
182. deny /var/cache/fontconfig/ w,
183. deny @{HOME}/.local/share/recently-used.xbel r,
184. deny /usr/bin/gconftool-2 x,
185. }