merge profiles from Ubuntu, including change_hat apache2 template

profiles/Makefile

@@ -37,17 +37,19 @@ PROFILES_DEST=${DESTDIR}/etc/apparmor.d
 EXTRAS_DEST=${DESTDIR}/etc/apparmor/profiles/extras/
 PROFILES_SOURCE=./apparmor.d
 EXTRAS_SOURCE=./apparmor/profiles/extras/
-SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables
+SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables
 PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*))
 
 .PHONY: install
 install: 
 	install -m 755 -d ${PROFILES_DEST}
 	install -m 755 -d ${PROFILES_DEST}/abstractions \
+                          ${PROFILES_DEST}/apache2.d \
                           ${PROFILES_DEST}/program-chunks \
                           ${PROFILES_DEST}/tunables
 	install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
 	install -m 644 ${PROFILES_SOURCE}/abstractions/* ${PROFILES_DEST}/abstractions
+	install -m 644 ${PROFILES_SOURCE}/apache2.d/* ${PROFILES_DEST}/apache2.d
 	install -m 644 ${PROFILES_SOURCE}/program-chunks/* ${PROFILES_DEST}/program-chunks
 	install -m 644 ${PROFILES_SOURCE}/tunables/* ${PROFILES_DEST}/tunables
 	install -m 755 -d ${EXTRAS_DEST}

profiles/apparmor.d/abstractions/base

@@ -84,3 +84,19 @@
 
   # some applications will display license information
   /usr/share/common-licenses/**  r,
+
+  # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
+  # filesystems generally. This does not appreciably decrease security with
+  # Ubuntu profiles because the user is expected to have access to files owned
+  # by him/her. Exceptions to this are explicit in the profiles. While this rule
+  # grants access to those exceptions, the intended privacy is maintained due to
+  # the encrypted contents of the files in this directory. Files in this
+  # directory will also use filename encryption by default, so the files are
+  # further protected. Also, with the use of 'owner', this rule properly
+  # prevents access to the files from processes running under a different uid.
+
+  # encrypted ~/.Private and old-style encrypted $HOME
+  owner @{HOME}/.Private/** mrixwlk,
+  # new-style encrypted $HOME
+  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
+

profiles/apparmor.d/abstractions/launchpad-integration

@@ -0,0 +1,6 @@
+# vim:syntax=apparmor
+# launchpad-integration
+
+  # allow launchpad-integration to run unconfined using Secure Execution (Ux)
+  /usr/bin/launchpad-integration Uxr,
+

profiles/apparmor.d/abstractions/private-files

@@ -0,0 +1,26 @@
+# vim:syntax=apparmor
+# privacy-violations contains rules for common files that you want to explicity
+# deny access
+
+  # privacy violations (don't audit files under $HOME otherwise get a
+  # lot of false positives when reading contents of directories)
+  deny @{HOME}/.*history mrwkl,
+  deny @{HOME}/.fetchmail* mrwkl,
+  deny @{HOME}/.viminfo* mrwkl,
+  deny @{HOME}/.*~ mrwkl,
+  deny @{HOME}/.*.swp mrwkl,
+  deny @{HOME}/.*~1~ mrwkl,
+  deny @{HOME}/.*.bak mrwkl,
+
+  # special attention to (potentially) executable files
+  audit deny @{HOME}/bin/** wl,
+
+  deny @{HOME}/.bash* mrk,
+  audit deny @{HOME}/.bash* wl,
+
+  deny @{HOME}/.profile* mrk,
+  audit deny @{HOME}/.profile* wl,
+
+  deny @{HOME}/.*rc mrk,
+  audit deny @{HOME}/.*rc wl,
+

profiles/apparmor.d/abstractions/private-files-strict

@@ -0,0 +1,12 @@
+# vim:syntax=apparmor
+# privacy-violations-strict contains additional rules for sensitive
+# files that you want to explicity deny access
+
+  #include <abstractions/private-files>
+
+  # potentially extremely sensitive files
+  audit deny @{HOME}/.gnupg/** mrwkl,
+  audit deny @{HOME}/.ssh/** mrwkl,
+  audit deny @{HOME}/.gnome2_private/** mrwkl,
+  audit deny @{HOME}/.mozilla/** mrwkl,
+

profiles/apparmor.d/abstractions/ubuntu-browsers

@@ -0,0 +1,30 @@
+#
+# abstraction for allowing access to graphical browsers in Ubuntu
+#
+
+  /usr/bin/arora Ux,
+  /usr/bin/chromium-browser Ux,
+  /usr/bin/conkeror Ux,
+  /usr/bin/dillo Ux,
+  /usr/bin/Dooble Ux,
+  /usr/bin/epiphany Ux,
+  /usr/bin/epiphany-browser Ux,
+  /usr/bin/epiphany-webkit Ux,
+  /usr/lib/fennec-*/fennec Ux,
+  /usr/bin/galeon Ux,
+  /usr/bin/kazehakase Ux,
+  /usr/bin/konqueror Ux,
+  /usr/bin/midori Ux,
+  /usr/bin/netsurf Ux,
+  /usr/bin/prism Ux,
+  /usr/bin/rekonq Ux,
+  /usr/bin/seamonkey Ux,
+  /usr/lib/chromium-browser/chromium-browser Ux,
+
+  # this should cover all firefox browsers and versions (including shiretoko
+  # and abrowser)
+  /usr/lib/firefox-*/firefox.sh Ux,
+
+  # some unpackaged, but popular browsers
+  /usr/lib/icecat-*/icecat Ux,
+  /usr/bin/opera Ux,

profiles/apparmor.d/abstractions/ubuntu-console-browsers

@@ -0,0 +1,14 @@
+#
+# abstraction for allowing access to text-only browsers in Ubuntu. These will
+# typically also need a terminal, so when using this abstraction, should also
+# do something like:
+#
+# #include <abstractions/ubuntu-gnome-terminal>
+#
+
+  /usr/bin/elinks Ux,
+  /usr/bin/links Ux,
+  /usr/bin/lynx.cur Ux,
+  /usr/bin/netrik Ux,
+  /usr/bin/w3m Ux,
+

profiles/apparmor.d/abstractions/ubuntu-console-email

@@ -0,0 +1,14 @@
+#
+# abstraction for allowing console email clients in Ubuntu. These will
+# typically also need a terminal, so when using this abstraction, should also
+# do something like:
+#
+# #include <abstractions/ubuntu-gnome-terminal>
+#
+
+  /usr/bin/alpine Ux,
+  /usr/bin/citadel Ux,
+  /usr/bin/cone Ux,
+  /usr/bin/elmo Ux,
+  /usr/bin/mutt Ux,
+

profiles/apparmor.d/abstractions/ubuntu-email

@@ -0,0 +1,19 @@
+#
+# abstraction for allowing graphical email clients in Ubuntu
+#
+
+  /usr/bin/anjal Ux,
+  /usr/bin/balsa Ux,
+  /usr/bin/claws-mail Ux,
+  /usr/bin/evolution Ux,
+  /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Ux,
+  /usr/bin/kmail Ux,
+  /usr/bin/mailody Ux,
+  /usr/bin/modest Ux,
+  /usr/bin/seamonkey Ux,
+  /usr/bin/sylpheed Ux,
+  /usr/bin/tkrat Ux,
+
+  /usr/lib/thunderbird/thunderbird Ux,
+
+

profiles/apparmor.d/abstractions/ubuntu-gnome-terminal

@@ -0,0 +1,9 @@
+#
+# for allowing access to gnome-terminal
+#
+
+  #include <abstractions/gnome>
+
+  # do not use ux or Ux here. Use at a minimum ix
+  /usr/bin/gnome-terminal ix,
+

profiles/apparmor.d/abstractions/ubuntu-konsole

@@ -0,0 +1,16 @@
+#
+# for allowing access to konsole
+#
+
+  #include <abstractions/consoles>
+  #include <abstractions/kde>
+  capability sys_ptrace,
+  @{PROC}/[0-9]*/status r,
+  @{PROC}/[0-9]*/stat r,
+  @{PROC}/[0-9]*/cmdline r,
+  /var/run/utmp r,
+  /dev/ptmx rw,
+
+  # do not use ux or Ux here. Use at a minimum ix
+  /usr/bin/konsole ix,
+

profiles/apparmor.d/abstractions/ubuntu-xterm

@@ -0,0 +1,12 @@
+#
+# for allowing access to xterm
+#
+
+  #include <abstractions/consoles>
+  /dev/ptmx rw,
+  /var/run/utmp r,
+  /etc/X11/app-defaults/XTerm r,
+
+  # do not use ux or Ux here. Use at a minimum ix
+  /usr/bin/xterm ix,
+

profiles/apparmor.d/apache2.d/phpsysinfo

@@ -0,0 +1,40 @@
+# Last Modified: Fri Sep 11 13:27:22 2009
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+
+  ^phpsysinfo {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+    #include <abstractions/python>
+
+    /bin/dash ixr,
+    /bin/df ixr,
+    /bin/mount ixr,
+    /bin/uname ixr,
+    /dev/bus/usb/ r,
+    /dev/bus/usb/** r,
+    /etc/debian_version r,
+    /etc/lsb-release r,
+    /etc/mtab r,
+    /etc/phpsysinfo/config.php r,
+    /proc/** r,
+    /proc/*/attr/current w,
+    /sys/bus/pci/devices/ r,
+    /sys/devices/** r,
+    /usr/bin/apt-cache ixr,
+    /usr/bin/dpkg-query ixr,
+    /usr/bin/lsb_release ixr,
+    /usr/bin/lspci ixr,
+    /usr/bin/who ixr,
+    /usr/sbin/lsusb ixr,
+    /usr/share/phpsysinfo/** r,
+    /var/lib/dpkg/available r,
+    /var/lib/dpkg/status r,
+    /var/lib/dpkg/triggers/* r,
+    /var/lib/dpkg/updates/ r,
+    /var/lib/misc/usb.ids r,
+    /var/log/apache2/access.log w,
+    /var/log/apache2/error.log w,
+    /var/run/utmp rk,
+    /usr/share/misc/pci.ids r,
+
+  }

profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2

@@ -0,0 +1,76 @@
+# Last Modified: Wed Sep 16 11:58:00 2009
+# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+#include <tunables/global>
+
+/usr/lib/apache2/mpm-prefork/apache2 {
+
+  # This is profile is completely permissive.
+  # It is designed to target specific applications using mod_apparmor,
+  # hats, and the apache2.d directory.
+  #
+  # In order to enable this profile, you must:
+  #
+  # 1- Enable it:
+  #    sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+  #
+  # 2- Load the mod_apparmor module:
+  #    sudo a2enmod apparmor
+  #
+  # 3- Place an appropriate profile containing the desired hat in the
+  #    /etc/apparmor.d/apache2.d directory
+  #
+  # 4- Use the "AAHatName" apache configuration option to specify a hat to
+  #    be used for a given apache directory or location directive
+  #
+  #
+  # There is an example profile for phpsysinfo included in the
+  # apparmor-profiles package. To try it:
+  #
+  # 1- Install the phpsysinfo and the apparmor-profiles packages:
+  #    sudo apt-get install phpsysinfo apparmor-profiles
+  #
+  # 2- Enable the main apache2 profile
+  #    sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+  #
+  # 3- Configure apache with the following:
+  #    <Directory /var/www/phpsysinfo/>
+  #        AAHatName phpsysinfo
+  #    </Directory>
+  #
+
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability kill,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_tty_config,
+
+  / rw,
+  /** mrwlkix,
+
+
+  ^DEFAULT_URI {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+
+    / rw,
+    /** mrwlkix,
+
+  }
+
+  ^HANDLING_UNTRUSTED_INPUT {
+    #include <abstractions/nameservice>
+
+    / rw,
+    /** mrwlkix,
+
+  }
+
+  # This directory contains web application
+  # package-specific apparmor files.
+
+  #include <apache2.d>
+
+}

profiles/apparmor.d/usr.lib.dovecot.deliver

@@ -0,0 +1,20 @@
+# Last Modified: Wed Jun 10 00:20:56 2009
+# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+#include <tunables/global>
+/usr/lib/dovecot/deliver flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/dovecot/dovecot-postfix.conf r,
+  @{HOME} r,
+  @{HOME}/Maildir/ rw,
+  @{HOME}/Maildir/** klrw,
+  @{HOME}/mail/ rw,
+  @{HOME}/mail/* klrw,
+  @{HOME}/mail/.imap/** klrw,
+  /usr/lib/dovecot/deliver mr,
+  /var/mail/* klrw,
+}

profiles/apparmor.d/usr.lib.dovecot.dovecot-auth

@@ -0,0 +1,20 @@
+# Last Modified: Fri Oct 10 17:19:26 2008
+# Author: Kees Cook <kees@ubuntu.com>
+#include <tunables/global>
+/usr/lib/dovecot/dovecot-auth flags=(complain) {
+  #include <abstractions/authentication>
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/wutmp>
+
+  capability setgid,
+  capability chown,
+  capability dac_override,
+
+  /proc/*/mounts r,
+  /usr/lib/dovecot/dovecot-auth mr,
+  /var/run/utmp k,
+  /var/run/dovecot/** rw,
+  # required for postfix+dovecot integration
+  /var/spool/postfix/private/dovecot-auth w,
+}

profiles/apparmor.d/usr.lib.dovecot.imap

@@ -0,0 +1,19 @@
+# Last Modified: Sat Oct 11 09:17:38 2008
+# Author: Kees Cook <kees@ubuntu.com>
+#include <tunables/global>
+/usr/lib/dovecot/imap flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability setgid,
+  capability setuid,
+
+  @{HOME} r,
+  @{HOME}/Maildir/ rw,
+  @{HOME}/Maildir/** klrw,
+  @{HOME}/mail/ rw,
+  @{HOME}/mail/* klrw,
+  @{HOME}/mail/.imap/** klrw,
+  /usr/lib/dovecot/imap mr,
+  /var/mail/* klrw,
+}

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -0,0 +1,18 @@
+# Last Modified: Wed Oct  8 00:20:56 2008
+# Author: Kees Cook <kees@ubuntu.com>
+#include <tunables/global>
+/usr/lib/dovecot/imap-login flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
+
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+
+  network inet stream,
+
+  /usr/lib/dovecot/imap-login mr,
+  /var/run/dovecot/login/ r,
+  /var/run/dovecot/login/* rw,
+}

profiles/apparmor.d/usr.lib.dovecot.managesieve-login

@@ -0,0 +1,18 @@
+# Last Modified: Wed Jun 10 00:20:56 2009
+# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+#include <tunables/global>
+/usr/lib/dovecot/managesieve-login flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
+
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+
+  network inet stream,
+
+  /usr/lib/dovecot/managesieve-login mr,
+  /var/run/dovecot/login/ r,
+  /var/run/dovecot/login/* rw,
+}

profiles/apparmor.d/usr.lib.dovecot.pop3

@@ -0,0 +1,18 @@
+# Last Modified: Wed Oct  8 00:21:56 2008
+# Author: Kees Cook <kees@ubuntu.com>
+#include <tunables/global>
+/usr/lib/dovecot/pop3 flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability setgid,
+  capability setuid,
+
+  /var/mail/* klrw,
+  @{HOME} r,
+  @{HOME}/mail/* klrw,
+  @{HOME}/mail/.imap/** klrw,
+  @{HOME}/Maildir/ rw,
+  @{HOME}/Maildir/** klrw,
+  /usr/lib/dovecot/pop3 mr,
+}

profiles/apparmor.d/usr.lib.dovecot.pop3-login

@@ -0,0 +1,17 @@
+# Last Modified: Wed Oct  8 00:20:57 2008
+# Author: Kees Cook <kees@ubuntu.com>
+#include <tunables/global>
+/usr/lib/dovecot/pop3-login flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
+
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+
+  /usr/lib/dovecot/pop3-login mr,
+  /var/run/dovecot/login/ r,
+  /var/run/dovecot/login/* rw,
+}

profiles/apparmor.d/usr.sbin.dovecot

@@ -0,0 +1,33 @@
+# Last Modified: Fri Oct 10 17:20:34 2008
+# Author: Kees Cook <kees@ubuntu.com>
+#include <tunables/global>
+/usr/sbin/dovecot flags=(complain) {
+  #include <abstractions/authentication>
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/ssl_certs>
+  #include <abstractions/ssl_keys>
+
+  capability chown,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+
+  /etc/dovecot/** r,
+  /etc/mtab r,
+  /usr/lib/dovecot/dovecot-auth Pxmr,
+  /usr/lib/dovecot/imap Pxmr,
+  /usr/lib/dovecot/imap-login Pxmr,
+  /usr/lib/dovecot/pop3 Px,
+  /usr/lib/dovecot/pop3-login Pxmr,
+  # temporarily commented out while testing
+  #/usr/lib/dovecot/managesieve Px,
+  /usr/lib/dovecot/managesieve-login Pxmr,
+  /usr/lib/dovecot/ssl-build-param ixr,
+  /usr/sbin/dovecot mr,
+  /var/lib/dovecot/ w,
+  /var/lib/dovecot/* krw,
+  /var/run/dovecot/ rw,
+  /var/run/dovecot/** rw,
+}

profiles/apparmor.d/usr.sbin.nmbd

@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+# Last Modified: Wed Jun 20 13:22:50 2007
+#include <tunables/global>
+
+/usr/sbin/nmbd flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/samba>
+
+  capability net_bind_service,
+
+  /usr/sbin/nmbd mr,
+  /var/cache/samba/browse.dat* rw,
+  /var/lib/samba/wins.dat* rw,
+  /var/run/samba/** rk,
+  /var/run/samba/nmbd.pid rw,
+  /var/log/samba/cores/nmbd/ rw,
+  /var/log/samba/cores/nmbd/** rw,
+}

profiles/apparmor.d/usr.sbin.smbd

@@ -0,0 +1,38 @@
+# vim:syntax=apparmor
+# Last Modified: Wed Jun 20 13:34:25 2007
+#include <tunables/global>
+
+/usr/sbin/smbd flags=(complain) {
+  #include <abstractions/authentication>
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/cups-client>
+  #include <abstractions/nameservice>
+  #include <abstractions/samba>
+  #include <abstractions/user-tmp>
+  #include <abstractions/wutmp>
+
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+  capability sys_tty_config,
+
+  /etc/mtab r,
+  /etc/printcap r,
+  /proc/*/mounts r,
+  /usr/sbin/smbd mr,
+  /var/cache/samba/** rwk,
+  /var/cache/samba/printing/printers.tdb mrw,
+  /var/lib/samba/** rwk,
+  /var/lib/samba/printers/** rw,
+  /var/run/cups/cups.sock rw,
+  /var/run/dbus/system_bus_socket rw,
+  /var/run/samba/** rk,
+  /var/run/samba/smbd.pid rw,
+  /var/log/samba/cores/smbd/ rw,
+  /var/log/samba/cores/smbd/** rw,
+  /var/spool/samba/** rw,
+
+  @{HOMEDIRS}/** lrw,
+}

profiles/apparmor/profiles/extras/usr.bin.skype

@@ -1,35 +1,40 @@
-# Last Modified: Thu Aug 30 11:41:46 2007
+# Last Modified: Mon Oct 26 13:29:13 2009
 # REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53
+# Additional profiling based on work by Андрей Калинин, LP: #226624
 #include <tunables/global>
 /usr/bin/skype flags=(complain) {
   #include <abstractions/audio>
   #include <abstractions/base>
   #include <abstractions/fonts>
+  #include <abstractions/freedesktop.org>
+  #include <abstractions/kde>
   #include <abstractions/nameservice>
+  #include <abstractions/nvidia>
+  #include <abstractions/user-tmp>
+  #include <abstractions/X>
 
-  /home/*/.ICEauthority r,
-  /home/*/.Skype/ rw,
-  /home/*/.Skype/** krw,
-  /home/*/.Xauthority r,
-  /home/*/.config/Trolltech.conf kr,
-  /home/*/.fontconfig/* r,
-  /home/*/.mozilla/ r,
-  /home/*/.mozilla/firefox/ r,
-  /home/*/.mozilla/firefox/*/ r,
-  /home/*/.mozilla/firefox/*/bookmarkbackups/ r,
-  /home/*/.mozilla/firefox/*/chrome/ r,
-  /home/*/.mozilla/firefox/*/extensions/ r,
-  /home/*/.mozilla/firefox/*/prefs.js r,
-  /proc/interrupts r,
-  /tmp/.ICE-unix/* w,
-  /tmp/.X11-unix/X0 w,
-  /usr/bin/skype mr,
-  /usr/lib/qt4/plugins/iconengines/ r,
-  /usr/lib/qt4/plugins/imageformats/ r,
-  /usr/lib/qt4/plugins/imageformats/*.so mr,
-  /usr/lib/qt4/plugins/inputmethods/ r,
-  /usr/share/X11/locale/** r,
-  /usr/share/icons/** r,
-  /usr/share/skype/sounds/*.wav kr,
+  # are these needed?
+  /proc/*/cmdline r,
+  /dev/video* mrw,
   /var/cache/libx11/compose/* r,
+
+  # should this be in a separate KDE abstraction?
+  @{HOME}/.kde/share/config/kioslaverc r,
+
+  /usr/bin/skype mr,
+  /usr/share/skype/** kr,
+  /usr/share/skype/sounds/*.wav kr,
+
+  @{HOME}/.Skype/   rw,
+  @{HOME}/.Skype/** krw,
+  @{HOME}/.config/* kr,
+
+  @{HOME}/.mozilla/ r,
+  @{HOME}/.mozilla/*/ r,
+  @{HOME}/.mozilla/*/*/ r,
+  @{HOME}/.mozilla/*/*/bookmarkbackups/ r,
+  @{HOME}/.mozilla/*/*/chrome/ r,
+  @{HOME}/.mozilla/*/*/extensions/ r,
+  @{HOME}/.mozilla/*/*/prefs.js r,
 }
+