Merge Improvements from the Ubuntu 20.04 Firefox profile

This brings in numerous improvements from the Firefox AppArmor profile that Ubuntu ships in 20.04/focal. The raw profile may be viewed [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox-trunk.head/view/head:/debian/usr.bin.firefox.apparmor.14.10) (or alternately [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox.focal/view/head:/debian/usr.bin.firefox.apparmor.14.10)). To review, you may not only want to compare this new version against HEAD, but also against the Ubuntu profile, which has a smaller diff. I suggest preprocessing the latter with the following to reduce extraneous diffs: ``` sed 's,@{PROC}/\[0-9\]\*/,@{PROC}/@{pid}/,g; s,/@{pid}/task/\[0-9\]\*/,/@{pid}/task/@{tid}/,g; s/#\(include\)/\1/' ``` I've made a few minor edits along the way, such as using AppArmor variables instead of preprocessing directives (like `@MOZ_LIBDIR@`) that are substituted in the Firefox package build. Any feature/stylistic downgrades in the Ubuntu profile should have been filtered out. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1043 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-30 22:05:27 +00:00 · 2023-06-09 01:57:25 +00:00
parent 1e0d7bcbb7 d367adf1f1
commit 8ef7e91a38
1 changed files with 208 additions and 13 deletions
--- a/profiles/apparmor/profiles/extras/firefox
+++ b/profiles/apparmor/profiles/extras/firefox
@@ -13,67 +13,138 @@ abi <abi/3.0>,

 include <tunables/global>

+# Declare some variables to help with variants
+@{MOZ_APP_NAME}=firefox{,-esr}
+@{MOZ_LIBDIR}=/usr/lib/@{MOZ_APP_NAME}{,-[0-9]*}
+@{MOZ_ADDONDIR}=/usr/lib/{@{MOZ_APP_NAME},xulrunner}-addons
+
 # We want to confine the binaries that match:
 #  /usr/lib/firefox-4.0b8/firefox
-#  /usr/lib/firefox-4.0b8/firefox
 # but not:
 #  /usr/lib/firefox-4.0b8/firefox.sh
-profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
+profile firefox @{MOZ_LIBDIR}/firefox{,*[^s][^h]} {
  include <abstractions/audio>
  include <abstractions/cups-client>
-  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf>
  include <abstractions/gnome>
  include <abstractions/ibus>
-  include <abstractions/kde>
  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/p11-kit>
+  include <abstractions/ubuntu-unity7-base>
+  include <abstractions/ubuntu-unity7-launcher>
+
+  include <abstractions/dbus-accessibility-strict>
+  dbus (send)
+       bus=session
+       peer=(name=org.a11y.Bus),
+  dbus (receive)
+       bus=session
+       interface=org.a11y.atspi**,
+  dbus (receive, send)
+       bus=accessibility,

  # for networking
  network inet stream,
  network inet6 stream,
+  @{PROC}/@{pid}/net/arp r,
  @{PROC}/@{pid}/net/if_inet6 r,
  @{PROC}/@{pid}/net/ipv6_route r,
+  @{PROC}/@{pid}/net/dev r,
+  @{PROC}/@{pid}/net/wireless r,
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       member=state,
+  dbus (receive)
+       bus=system
+       path=/org/freedesktop/NetworkManager,
+
+  # used by third_party/rust/audio_thread_priority
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/RealtimeKit1,

  # should maybe be in abstractions
+  /etc/ r,
+  /etc/mime.types r,
+  /etc/mailcap r,
+  /etc/xdg/*buntu/applications/defaults.list    r, # for all derivatives
+  /etc/xfce4/defaults.list r,
  /usr/share/xubuntu/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/mimeapps.list r,
+  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+  /var/lib/snapd/desktop/applications/mimeinfo.cache r,
+  /var/lib/snapd/desktop/applications/*.desktop r,
  owner /tmp/** m,
  owner /var/tmp/** m,
+  owner /{,var/}run/shm/shmfd-* rw,
+  owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk,
+  owner /{dev,run}/shm/wayland.mozilla.ipc.[0-9]* rw,
  /tmp/.X[0-9]*-lock r,
+  /etc/udev/udev.conf r,
+  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+  # Possibly move to an abstraction if anything else needs it.
+  deny /run/udev/data/** r,
+  # let the shell know we launched something
+  dbus (send)
+     bus=session
+     interface=org.gtk.gio.DesktopAppInfo
+     member=Launched,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # firefox specific
+  /etc/firefox*/ r,
  /etc/firefox*/** r,
  /etc/xul-ext/** r,
+  /etc/xulrunner{,-[0-9]*}/ r,
  /etc/xulrunner{,-[0-9]*}/** r,
+  /etc/gre.d/ r,
  /etc/gre.d/* r,
-  /etc/mailcap r,
-  /etc/mime.types r,

  # noisy
-  deny /usr/lib/firefox{,-[0-9]*}/** w,
-  deny /usr/lib/{firefox,xulrunner}-addons/** w,
+  deny @{MOZ_LIBDIR}/** w,
+  deny @{MOZ_ADDONDIR}/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,
+  deny @{HOME}/.local/share/recently-used.xbel r,

+  # TODO: investigate
  deny /usr/bin/gconftool-2 x,

  # These are needed when a new user starts firefox and firefox.sh is used
-  /usr/lib/firefox{,-[0-9]*}/** ixr,
-  deny /usr/lib/firefox/firefox.sh x,
+  @{MOZ_LIBDIR}/** ixr,
+  deny @{MOZ_LIBDIR}/firefox.sh x,
  /usr/bin/basename ixr,
  /usr/bin/dirname ixr,
  /usr/bin/pwd ixr,
  /{usr/,}sbin/killall5 ixr,
  /{usr/,}bin/which ixr,
  /usr/bin/tr ixr,
+  @{PROC}/ r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/mountinfo r,
  @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  @{PROC}/@{pid}/status r,
+  @{PROC}/filesystems r,
+  @{PROC}/sys/vm/overcommit_memory r,
+  # prevent crash LP: #1931602
+  /sys/devices/pci[0-9]*/**/{uevent,resource,irq,class} r,
+  /sys/devices/platform/**/uevent r,
+  /sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
+  /sys/devices/pci*/**/{,subsystem_}device r,
+  /sys/devices/pci*/**/{,subsystem_}vendor r,
+  /sys/devices/system/node/node[0-9]*/meminfo r,
+  owner @{HOME}/.cache/thumbnails/** rw,

  /etc/mtab r,
  /etc/fstab r,
@@ -83,9 +154,15 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
  owner @{PROC}/@{pid}/auxv r,
  /etc/lsb-release r,
  /usr/bin/expr ix,
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/** r,
+
+  # about:memory
+  owner @{PROC}/@{pid}/statm r,
+  owner @{PROC}/@{pid}/smaps r,

  # Needed for container to work in xul builds
-  /usr/lib/xulrunner-*/plugin-container ixr,
+  @{MOZ_LIBDIR}/plugin-container ixr,

  # Make browsing directories work
  / r,
@@ -109,7 +186,112 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
  owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
-  owner @{HOME}/.gnome2/firefox*-bin-* rw,
+  owner @{HOME}/.gnome2/firefox* rwk,
+  owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
+  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
+  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite k,
+  owner @{HOME}/.config/gtk-3.0/bookmarks r,
+  owner @{HOME}/.config/dconf/user w,
+  owner /{,var/}run/user/*/dconf/user w,
+  dbus (send)
+       bus=session
+       path=/org/gnome/GConf/Server
+       member=GetDefaultDatabase
+       peer=(label=unconfined),
+  dbus (send)
+       bus=session
+       path=/org/gnome/GConf/Database/*
+       member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}
+       peer=(label=unconfined),
+  dbus (send)
+       bus=session
+       path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(label=unconfined),
+
+  # Allow access to xdg-desktop-portal and xdg-document-portal (LP: #1974449)
+  dbus (receive, send)
+       bus=session
+       interface=org.freedesktop.portal.*
+       path=/org/freedesktop/portal/{desktop,documents}{,/**}
+       peer=(label=unconfined),
+
+  dbus (receive, send)
+       bus=session
+       interface=org.freedesktop.DBus.Properties
+       path=/org/freedesktop/portal/{desktop,documents}{,/**}
+       peer=(label=unconfined),
+
+  # Allow remote control when running on Wayland
+  dbus (send)
+       bus=session
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName
+       peer=(name=org.freedesktop.DBus),
+  dbus (bind)
+       bus=session
+       name=org.mozilla.firefox.*,
+  dbus (send, receive)
+       bus=session
+       path=/org/mozilla/firefox/Remote
+       interface=org.mozilla.firefox
+       member=OpenURL
+       peer=(label=firefox),
+
+  # gnome-session
+  dbus (send)
+       bus=session
+       path=/org/gnome/SessionManager
+       interface=org.gnome.SessionManager
+       member={Inhibit,Uninhibit}
+       peer=(label=unconfined),
+
+  # unity screen API
+  dbus (send)
+       bus=system
+       interface="org.freedesktop.DBus.Introspectable"
+       path="/com/canonical/Unity/Screen"
+       member="Introspect"
+       peer=(label=unconfined),
+  dbus (send)
+       bus=system
+       interface="com.canonical.Unity.Screen"
+       path="/com/canonical/Unity/Screen"
+       member={keepDisplayOn,removeDisplayOnRequest}
+       peer=(label=unconfined),
+
+  # freedesktop.org ScreenSaver
+  dbus (send)
+       bus=session
+       path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver
+       interface=org.freedesktop.ScreenSaver
+       member={Inhibit,UnInhibit,SimulateUserActivity}
+       peer=(label=unconfined),
+
+  # gnome, kde and cinnamon screensaver
+  dbus (send)
+       bus=session
+       path=/{,ScreenSaver}
+       interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
+       member=SimulateUserActivity
+       peer=(label=unconfined),
+
+  # UPower
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/UPower
+       interface=org.freedesktop.UPower
+       member=EnumerateDevices
+       peer=(label=unconfined),
+
+  # File browser
+  dbus (send)
+       bus=session
+       interface=org.freedesktop.FileManager1
+       path=/org/freedesktop/FileManager1
+       member=ShowItems,

  #
  # Extensions
@@ -117,7 +299,7 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner @{HOME}/.mozilla/**/extensions/** mixr,

-  deny /usr/lib/firefox{,-[0-9]*}/update.test w,
+  deny @{MOZ_LIBDIR}/update.test w,
  deny /usr/lib/mozilla/extensions/**/ w,
  deny /usr/lib/xulrunner-addons/extensions/**/ w,
  deny /usr/share/mozilla/extensions/**/ w,
@@ -127,6 +309,19 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} {
  ptrace (trace) peer=@{profile_name},
  @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m,

+  # Miscellaneous (to be abstracted)
+  # Ideally these would use a child profile. They are all ELF executables
+  # so running with 'Ux', while not ideal, is ok because we will at least
+  # benefit from glibc's secure execute.
+  /usr/bin/mkfifo Uxr,  # investigate
+  /bin/ps Uxr,
+  /bin/uname Uxr,
+
+  /usr/bin/lsb_release Pxr -> lsb_release,
+
+  # Addons
+  include if exists <abstractions/ubuntu-browsers.d/firefox>
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.bin.firefox>
  include if exists <local/firefox>