1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
|
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2009-2011 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
# We want to confine the binaries that match:
# /usr/lib/firefox-4.0b8/firefox
# /usr/lib/firefox-4.0b8/firefox
# but not:
# /usr/lib/firefox-4.0b8/firefox.sh
/usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/kde>
#include <abstractions/nameservice>
# for networking
network inet stream,
network inet6 stream,
@{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/ipv6_route r,
# should maybe be in abstractions
/usr/share/xubuntu/applications/defaults.list r,
owner /tmp/** m,
owner /var/tmp/** m,
/tmp/.X[0-9]*-lock r,
/etc/timezone r,
/etc/writable/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# firefox specific
/etc/firefox*/** r,
/etc/xul-ext/** r,
/etc/xulrunner{,-[0-9]*}/** r,
/etc/gre.d/* r,
/etc/mailcap r,
/etc/mime.types r,
# noisy
deny /usr/lib/firefox{,-[0-9]*}/** w,
deny /usr/lib/{firefox,xulrunner}-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
deny /usr/bin/gconftool-2 x,
# These are needed when a new user starts firefox and firefox.sh is used
/usr/lib/firefox{,-[0-9]*}/** ixr,
deny /usr/lib/firefox/firefox.sh x,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
/sbin/killall5 ixr,
/bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/status r,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# Make browsing directories work
/ r,
/**/ r,
# allow access to documentation and other files the user may want to look
# at in /usr
/usr/{include,share,src}/** r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/** r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/** rw,
owner @{HOME}/.thumbnails/*/*.png r,
# per-user firefox configuration
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
owner @{HOME}/.gnome2/firefox*-bin-* rw,
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/.../** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
deny /usr/lib/firefox{,-[0-9]*}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
# Site-specific additions and overrides. See local/README for details.
# Local path is disabled, we only enable them for profiles we promote
# out of extras.
## include <local/usr.bin.firefox>
}
|