document.write('
Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. # vim:syntax=apparmor
  2. # Author: Jamie Strandboge <jamie@canonical.com>
  3.  
  4. # Declare an apparmor variable to help with overrides
  5. @{MOZ_LIBDIR}=/usr/lib/firefox
  6.  
  7. #include <tunables/global>
  8.  
  9. # We want to confine the binaries that match:
  10. # /usr/lib/firefox/firefox
  11. # /usr/lib/firefox/firefox
  12. # but not:
  13. # /usr/lib/firefox/firefox.sh
  14. /usr/lib/firefox/firefox{,*[^s][^h]} {
  15. #include <abstractions/audio>
  16. #include <abstractions/cups-client>
  17. #include <abstractions/dbus-session>
  18. #include <abstractions/gnome>
  19. #include <abstractions/nameservice>
  20. #include <abstractions/p11-kit>
  21.  
  22. # Addons
  23. #include <abstractions/ubuntu-browsers.d/firefox>
  24.  
  25. # for networking
  26. network inet stream,
  27. network inet6 stream,
  28. @{PROC}/[0-9]*/net/if_inet6 r,
  29. @{PROC}/[0-9]*/net/ipv6_route r,
  30. @{PROC}/[0-9]*/net/dev r,
  31. @{PROC}/[0-9]*/net/wireless r,
  32.  
  33. # should maybe be in abstractions
  34. /etc/ r,
  35. /etc/mime.types r,
  36. /etc/mailcap r,
  37. /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
  38. /usr/share/xubuntu/applications/defaults.list r,
  39. owner @{HOME}/.local/share/applications/defaults.list r,
  40. owner @{HOME}/.local/share/applications/mimeapps.list r,
  41. owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  42. owner /tmp/** m,
  43. owner /var/tmp/** m,
  44. /tmp/.X[0-9]*-lock r,
  45.  
  46. /etc/timezone r,
  47. /etc/wildmidi/wildmidi.cfg r,
  48.  
  49. # firefox specific
  50. /etc/firefox*/ r,
  51. /etc/firefox*/** r,
  52. /etc/xul-ext/** r,
  53. /etc/xulrunner-2.0*/ r,
  54. /etc/xulrunner-2.0*/** r,
  55. /etc/gre.d/ r,
  56. /etc/gre.d/* r,
  57.  
  58. # noisy
  59. deny @{MOZ_LIBDIR}/** w,
  60. deny /usr/lib/firefox-addons/** w,
  61. deny /usr/lib/xulrunner-addons/** w,
  62. deny /usr/lib/xulrunner-*/components/*.tmp w,
  63. deny /.suspended r,
  64. deny /boot/initrd.img* r,
  65. deny /boot/vmlinuz* r,
  66. deny /var/cache/fontconfig/ w,
  67. deny @{HOME}/.local/share/recently-used.xbel r,
  68.  
  69. # TODO: investigate
  70. deny /usr/bin/gconftool-2 x,
  71.  
  72. # These are needed when a new user starts firefox and firefox.sh is used
  73. @{MOZ_LIBDIR}/** ixr,
  74. /usr/bin/basename ixr,
  75. /usr/bin/dirname ixr,
  76. /usr/bin/pwd ixr,
  77. /sbin/killall5 ixr,
  78. /bin/which ixr,
  79. /usr/bin/tr ixr,
  80. @{PROC}/ r,
  81. @{PROC}/[0-9]*/cmdline r,
  82. @{PROC}/[0-9]*/mountinfo r,
  83. @{PROC}/[0-9]*/stat r,
  84. owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  85. @{PROC}/[0-9]*/status r,
  86. @{PROC}/filesystems r,
  87. owner @{HOME}/.thumbnails/*/*.png r,
  88.  
  89. /etc/mtab r,
  90. /etc/fstab r,
  91.  
  92. # Needed for the crash reporter
  93. owner @{PROC}/[0-9]*/environ r,
  94. owner @{PROC}/[0-9]*/auxv r,
  95. /etc/lsb-release r,
  96. /usr/bin/expr ix,
  97. /sys/devices/system/cpu/ r,
  98. /sys/devices/system/cpu/** r,
  99.  
  100. # about:memory
  101. owner @{PROC}/[0-9]*/statm r,
  102. owner @{PROC}/[0-9]*/smaps r,
  103.  
  104. # Needed for container to work in xul builds
  105. /usr/lib/xulrunner-*/plugin-container ixr,
  106.  
  107. # allow access to documentation and other files the user may want to look
  108. # at in /usr and /opt
  109. /usr/ r,
  110. /usr/** r,
  111. /opt/ r,
  112. /opt/** r,
  113.  
  114. # so browsing directories works
  115. / r,
  116. /**/ r,
  117.  
  118. # Default profile allows downloads to ~/Downloads and uploads from ~/Public
  119. owner @{HOME}/ r,
  120. owner @{HOME}/Public/ r,
  121. owner @{HOME}/Public/* r,
  122. owner @{HOME}/公共/ r,
  123. owner @{HOME}/公共/* r,
  124. owner @{HOME}/Downloads/ r,
  125. owner @{HOME}/Downloads/* rw,
  126. owner @{HOME}/下載/ r,
  127. owner @{HOME}/下載/* rw,
  128.  
  129. # per-user firefox configuration
  130. owner @{HOME}/.{firefox,mozilla}/ rw,
  131. owner @{HOME}/.{firefox,mozilla}/** rw,
  132. owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
  133. owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
  134. owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
  135. owner @{HOME}/.config/ibus/bus/ w,
  136. owner @{HOME}/.gnome2/firefox*-bin-* rw,
  137.  
  138. #
  139. # Extensions
  140. # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
  141. # Allow 'x' for downloaded extensions, but inherit policy for safety
  142. owner @{HOME}/.mozilla/**/extensions/** mixr,
  143.  
  144. deny @{MOZ_LIBDIR}/update.test w,
  145. deny /usr/lib/mozilla/extensions/**/ w,
  146. deny /usr/lib/xulrunner-addons/extensions/**/ w,
  147. deny /usr/share/mozilla/extensions/**/ w,
  148. deny /usr/share/mozilla/ w,
  149.  
  150. # Miscellaneous (to be abstracted)
  151. # Ideally these would use a child profile. They are all ELF executables
  152. # so running with 'Ux', while not ideal, is ok because we will at least
  153. # benefit from glibc's secure execute.
  154. /usr/bin/mkfifo Uxr, # investigate
  155. /bin/ps Uxr,
  156. /bin/uname Uxr,
  157.  
  158. # Site-specific additions and overrides. See local/README for details.
  159. #include <local/usr.bin.firefox>
  160. }
');