diff --git a/profiles/apparmor.d/abstractions/mesa b/profiles/apparmor.d/abstractions/mesa index c9bdb4b17..2ff39be46 100644 --- a/profiles/apparmor.d/abstractions/mesa +++ b/profiles/apparmor.d/abstractions/mesa @@ -24,6 +24,7 @@ owner @{HOME}/.cache/mesa_shader_cache_db/ rw, owner @{HOME}/.cache/mesa_shader_cache_db/index rwk, + owner @{HOME}/.cache/mesa_shader_cache_db/marker rwk, owner @{HOME}/.cache/mesa_shader_cache_db/part*/ rw, owner @{HOME}/.cache/mesa_shader_cache_db/part*/mesa_cache.db rwkl, owner @{HOME}/.cache/mesa_shader_cache_db/part*/mesa_cache.idx rwkl, diff --git a/profiles/apparmor/profiles/extras/chromium_browser b/profiles/apparmor/profiles/extras/chromium_browser index 74b644991..0a71e5578 100644 --- a/profiles/apparmor/profiles/extras/chromium_browser +++ b/profiles/apparmor/profiles/extras/chromium_browser @@ -132,8 +132,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne owner @{PROC}/@{pid}/io r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/{uid,gid}_map w, - owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/{uid,gid}_map rw, + owner @{PROC}/@{pid}/smaps{,_rollup} r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/status r, @@ -164,6 +164,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne /sys/devices/@{pci_bus}/**/irq r, /sys/devices/@{pci_bus}/**/manufacturer r, /sys/devices/@{pci_bus}/**/product r, + /sys/devices/@{pci_bus}/**/report_descriptor r, /sys/devices/@{pci_bus}/**/resource r, /sys/devices/@{pci_bus}/**/revision r, /sys/devices/@{pci_bus}/**/serial r, @@ -233,6 +234,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne /usr/bin/gvfs-open ixr, /usr/bin/kdialog ixr, # TODO: xfce + # Block "Create shortcut..." functionality for now + deny /usr/bin/xdg-desktop-menu x, + deny /usr/bin/xdg-icon-resource x, # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/** # which is provided by abstractions/ubuntu-browsers.d/user-files). diff --git a/profiles/apparmor/profiles/extras/firefox b/profiles/apparmor/profiles/extras/firefox index e10a84072..5b01dd3fa 100644 --- a/profiles/apparmor/profiles/extras/firefox +++ b/profiles/apparmor/profiles/extras/firefox @@ -110,6 +110,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} { member=GetAll peer=(label=unconfined), + unix (bind, listen) type=seqpacket addr="@gecko-crash-helper-pipe.*", + @{exec_path} mr, # should maybe be in abstractions @@ -193,13 +195,14 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} { @{PROC}/filesystems r, @{PROC}/sys/vm/overcommit_memory r, @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/session-{,c}[0-9]*.scope/cpu.max r, + /sys/devices/**/uevent r, # prevent crash LP: #1931602 - /sys/devices/@{pci_bus}/**/{uevent,resource,irq,class} r, - /sys/devices/platform/**/uevent r, + /sys/devices/@{pci_bus}/**/{resource,irq,class} r, /sys/devices/@{pci_bus}/**/{boot_vga,busnum,config,idVendor,idProduct,revision} r, /sys/devices/@{pci_bus}/**/{,subsystem_}device r, /sys/devices/@{pci_bus}/**/{,subsystem_}vendor r, /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/devices/virtual/dmi/id/product_{name,sku} r, owner @{HOME}/.cache/thumbnails/** rw, /etc/mtab r, @@ -246,7 +249,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} { owner @{HOME}/.gnome2/firefox* rwk, owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw, owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw, - owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite{,-shm} k, + owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sql{,ite}{,-shm} k, owner @{HOME}/.config/gtk-3.0/bookmarks r, owner @{HOME}/.config/dconf/user w, owner @{run}/user/[0-9]*/dconf/ w,