# Last Modified: Wed Sep 16 06:53:57 2015
@{MOZ_LIBDIR} = /usr/lib/firefox
#include <tunables/global>
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
# Declare an apparmor variable to help with overrides
# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-accessibility>
#include <abstractions/dbus-session>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-browsers.d/firefox>
#include <local/usr.bin.firefox>
network inet stream,
network inet6 stream,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /run/udev/data/** r,
deny /usr/bin/gconftool-2 x,
deny /usr/lib/firefox-addons/** w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
deny @{MOZ_LIBDIR}/** w,
deny @{MOZ_LIBDIR}/update.test w,
/ r,
/**/ r,
/bin/ps rUx,
/bin/uname rUx,
/bin/which rix,
/etc/ r,
/etc/firefox*/ r,
/etc/firefox*/** r,
/etc/fstab r,
/etc/gre.d/ r,
/etc/gre.d/* r,
/etc/lsb-release r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/timezone r,
/etc/udev/udev.conf r,
/etc/wildmidi/wildmidi.cfg r,
/etc/xdg/*buntu/applications/defaults.list r,
/etc/xfce4/defaults.list r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/opt/ r,
/opt/** r,
/sbin/killall5 rix,
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/platform/**/uevent r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/sys/devices/virtual/block/dm-1/uevent r,
owner /tmp/** m,
/tmp/.X[0-9]*-lock r,
/usr/ r,
/usr/** r,
/usr/bin/basename rix,
/usr/bin/dirname rix,
/usr/bin/expr ix,
/usr/bin/mkfifo rUx,
/usr/bin/pwd rix,
/usr/bin/tr rix,
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
/usr/lib/xulrunner-*/plugin-container rix,
/usr/share/xubuntu/applications/defaults.list r,
owner /var/tmp/** m,
owner /{,var/}run/shm/shmfd-* rw,
owner @{HOME}/ r,
owner @{HOME}/.cache/mozilla/firefox/** rw,
owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
owner @{HOME}/.cache/mozilla/{,firefox/} rw,
owner @{HOME}/.gnome2/firefox*-bin-* rw,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner @{HOME}/.mozilla/**/extensions/** mrix,
owner @{HOME}/.thumbnails/*/*.png r,
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** mr,
owner @{HOME}/.{firefox,mozilla}/plugins/** mr,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
@{MOZ_LIBDIR}/** rix,
@{PROC}/ r,
owner @{PROC}/[0-9]*/auxv r,
@{PROC}/[0-9]*/cmdline r,
owner @{PROC}/[0-9]*/environ r,
@{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/wireless r,
owner @{PROC}/[0-9]*/smaps r,
@{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/statm r,
@{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/vm/overcommit_memory r,
}