# vim:syntax=apparmor# Author: Jamie Strandboge <jamie@canonical.com># Dec

1. # vim:syntax=apparmor
2. # Author: Jamie Strandboge <jamie@canonical.com>
3.  
4. # Declare an apparmor variable to help with overrides
5. @{MOZ_LIBDIR}=/usr/lib/firefox
6.  
7. #include <tunables/global>
8.  
9. # We want to confine the binaries that match:
10. # /usr/lib/firefox/firefox
11. # /usr/lib/firefox/firefox
12. # but not:
13. # /usr/lib/firefox/firefox.sh
14. /usr/lib/firefox/firefox{,*[^s][^h]} {
15. #include <abstractions/audio>
16. #include <abstractions/cups-client>
17. # TODO: finetune this for required accesses
18. #include <abstractions/dbus>
19. #include <abstractions/dbus-accessibility>
20. #include <abstractions/dbus-session>
21. #include <abstractions/gnome>
22. #include <abstractions/ibus>
23. #include <abstractions/nameservice>
24. #include <abstractions/openssl>
25. #include <abstractions/p11-kit>
26.  
27. # Addons
28. #include <abstractions/ubuntu-browsers.d/firefox>
29.  
30. # for networking
31. network inet stream,
32. network inet6 stream,
33. @{PROC}/[0-9]*/net/if_inet6 r,
34. @{PROC}/[0-9]*/net/ipv6_route r,
35. @{PROC}/[0-9]*/net/dev r,
36. @{PROC}/[0-9]*/net/wireless r,
37.  
38. # should maybe be in abstractions
39. /etc/ r,
40. /etc/mime.types r,
41. /etc/mailcap r,
42. /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
43. /etc/xfce4/defaults.list r,
44. /usr/share/xubuntu/applications/defaults.list r,
45. owner @{HOME}/.local/share/applications/defaults.list r,
46. owner @{HOME}/.local/share/applications/mimeapps.list r,
47. owner @{HOME}/.local/share/applications/mimeinfo.cache r,
48. owner /tmp/** m,
49. owner /var/tmp/** m,
50. owner /{,var/}run/shm/shmfd-* rw,
51. /tmp/.X[0-9]*-lock r,
52. /etc/udev/udev.conf r,
53. # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
54. # Possibly move to an abstraction if anything else needs it.
55. deny /run/udev/data/** r,
56.  
57. /etc/timezone r,
58. /etc/wildmidi/wildmidi.cfg r,
59.  
60. # firefox specific
61. /etc/firefox*/ r,
62. /etc/firefox*/** r,
63. /etc/xul-ext/** r,
64. /etc/xulrunner-2.0*/ r,
65. /etc/xulrunner-2.0*/** r,
66. /etc/gre.d/ r,
67. /etc/gre.d/* r,
68.  
69. # noisy
70. deny @{MOZ_LIBDIR}/** w,
71. deny /usr/lib/firefox-addons/** w,
72. deny /usr/lib/xulrunner-addons/** w,
73. deny /usr/lib/xulrunner-*/components/*.tmp w,
74. deny /.suspended r,
75. deny /boot/initrd.img* r,
76. deny /boot/vmlinuz* r,
77. deny /var/cache/fontconfig/ w,
78. deny @{HOME}/.local/share/recently-used.xbel r,
79.  
80. # TODO: investigate
81. deny /usr/bin/gconftool-2 x,
82.  
83. # These are needed when a new user starts firefox and firefox.sh is used
84. @{MOZ_LIBDIR}/** ixr,
85. /usr/bin/basename ixr,
86. /usr/bin/dirname ixr,
87. /usr/bin/pwd ixr,
88. /sbin/killall5 ixr,
89. /bin/which ixr,
90. /usr/bin/tr ixr,
91. @{PROC}/ r,
92. @{PROC}/[0-9]*/cmdline r,
93. @{PROC}/[0-9]*/mountinfo r,
94. @{PROC}/[0-9]*/stat r,
95. owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
96. @{PROC}/[0-9]*/status r,
97. @{PROC}/filesystems r,
98. @{PROC}/sys/vm/overcommit_memory r,
99. /sys/devices/pci[0-9]*/**/uevent r,
100. /sys/devices/platform/**/uevent r,
101. /sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
102. owner @{HOME}/.thumbnails/*/*.png r,
103.  
104. /etc/mtab r,
105. /etc/fstab r,
106.  
107. # Needed for the crash reporter
108. owner @{PROC}/[0-9]*/environ r,
109. owner @{PROC}/[0-9]*/auxv r,
110. /etc/lsb-release r,
111. /usr/bin/expr ix,
112. /sys/devices/system/cpu/ r,
113. /sys/devices/system/cpu/** r,
114.  
115. # about:memory
116. owner @{PROC}/[0-9]*/statm r,
117. owner @{PROC}/[0-9]*/smaps r,
118.  
119. # Needed for container to work in xul builds
120. /usr/lib/xulrunner-*/plugin-container ixr,
121.  
122. # allow access to documentation and other files the user may want to look
123. # at in /usr and /opt
124. /usr/ r,
125. /usr/** r,
126. /opt/ r,
127. /opt/** r,
128.  
129. # so browsing directories works
130. / r,
131. /**/ r,
132.  
133. # Default profile allows downloads to ~/Downloads and uploads from ~/Public
134. owner @{HOME}/ r,
135. owner @{HOME}/Public/ r,
136. owner @{HOME}/Public/* r,
137. owner @{HOME}/Downloads/ r,
138. owner @{HOME}/Downloads/* rw,
139.  
140. # per-user firefox configuration
141. owner @{HOME}/.{firefox,mozilla}/ rw,
142. owner @{HOME}/.{firefox,mozilla}/** rw,
143. owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
144. owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
145. owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
146. owner @{HOME}/.gnome2/firefox*-bin-* rw,
147. owner @{HOME}/.cache/mozilla/{,firefox/} rw,
148. owner @{HOME}/.cache/mozilla/firefox/** rw,
149. owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
150.  
151. #
152. # Extensions
153. # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
154. # Allow 'x' for downloaded extensions, but inherit policy for safety
155. owner @{HOME}/.mozilla/**/extensions/** mixr,
156.  
157. deny @{MOZ_LIBDIR}/update.test w,
158. deny /usr/lib/mozilla/extensions/**/ w,
159. deny /usr/lib/xulrunner-addons/extensions/**/ w,
160. deny /usr/share/mozilla/extensions/**/ w,
161. deny /usr/share/mozilla/ w,
162.  
163. # Miscellaneous (to be abstracted)
164. # Ideally these would use a child profile. They are all ELF executables
165. # so running with 'Ux', while not ideal, is ok because we will at least
166. # benefit from glibc's secure execute.
167. /usr/bin/mkfifo Uxr, # investigate
168. /bin/ps Uxr,
169. /bin/uname Uxr,
170.  
171. # Site-specific additions and overrides. See local/README for details.
172. #include <local/usr.bin.firefox>
173. }