diff --git a/profiles/apparmor/profiles/extras/firefox b/profiles/apparmor/profiles/extras/firefox index 051a4b45d..841e2f9b3 100644 --- a/profiles/apparmor/profiles/extras/firefox +++ b/profiles/apparmor/profiles/extras/firefox @@ -13,67 +13,138 @@ abi , include +# Declare some variables to help with variants +@{MOZ_APP_NAME}=firefox{,-esr} +@{MOZ_LIBDIR}=/usr/lib/@{MOZ_APP_NAME}{,-[0-9]*} +@{MOZ_ADDONDIR}=/usr/lib/{@{MOZ_APP_NAME},xulrunner}-addons + # We want to confine the binaries that match: # /usr/lib/firefox-4.0b8/firefox -# /usr/lib/firefox-4.0b8/firefox # but not: # /usr/lib/firefox-4.0b8/firefox.sh -profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} { +profile firefox @{MOZ_LIBDIR}/firefox{,*[^s][^h]} { include include - include + include + include + include include include - include include + include + include + include + include + + include + dbus (send) + bus=session + peer=(name=org.a11y.Bus), + dbus (receive) + bus=session + interface=org.a11y.atspi**, + dbus (receive, send) + bus=accessibility, # for networking network inet stream, network inet6 stream, + @{PROC}/@{pid}/net/arp r, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/wireless r, + dbus (send) + bus=system + path=/org/freedesktop/NetworkManager + member=state, + dbus (receive) + bus=system + path=/org/freedesktop/NetworkManager, + + # used by third_party/rust/audio_thread_priority + dbus (send) + bus=system + path=/org/freedesktop/RealtimeKit1, # should maybe be in abstractions + /etc/ r, + /etc/mime.types r, + /etc/mailcap r, + /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives + /etc/xfce4/defaults.list r, /usr/share/xubuntu/applications/defaults.list r, + owner @{HOME}/.local/share/applications/defaults.list r, + owner @{HOME}/.local/share/applications/mimeapps.list r, + owner @{HOME}/.local/share/applications/mimeinfo.cache r, + /var/lib/snapd/desktop/applications/mimeinfo.cache r, + /var/lib/snapd/desktop/applications/*.desktop r, owner /tmp/** m, owner /var/tmp/** m, + owner /{,var/}run/shm/shmfd-* rw, + owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk, + owner /{dev,run}/shm/wayland.mozilla.ipc.[0-9]* rw, /tmp/.X[0-9]*-lock r, + /etc/udev/udev.conf r, + # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. + # Possibly move to an abstraction if anything else needs it. + deny /run/udev/data/** r, + # let the shell know we launched something + dbus (send) + bus=session + interface=org.gtk.gio.DesktopAppInfo + member=Launched, /etc/timezone r, /etc/wildmidi/wildmidi.cfg r, # firefox specific + /etc/firefox*/ r, /etc/firefox*/** r, /etc/xul-ext/** r, + /etc/xulrunner{,-[0-9]*}/ r, /etc/xulrunner{,-[0-9]*}/** r, + /etc/gre.d/ r, /etc/gre.d/* r, - /etc/mailcap r, - /etc/mime.types r, # noisy - deny /usr/lib/firefox{,-[0-9]*}/** w, - deny /usr/lib/{firefox,xulrunner}-addons/** w, + deny @{MOZ_LIBDIR}/** w, + deny @{MOZ_ADDONDIR}/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, deny /boot/initrd.img* r, deny /boot/vmlinuz* r, deny /var/cache/fontconfig/ w, + deny @{HOME}/.local/share/recently-used.xbel r, + # TODO: investigate deny /usr/bin/gconftool-2 x, # These are needed when a new user starts firefox and firefox.sh is used - /usr/lib/firefox{,-[0-9]*}/** ixr, - deny /usr/lib/firefox/firefox.sh x, + @{MOZ_LIBDIR}/** ixr, + deny @{MOZ_LIBDIR}/firefox.sh x, /usr/bin/basename ixr, /usr/bin/dirname ixr, /usr/bin/pwd ixr, /{usr/,}sbin/killall5 ixr, /{usr/,}bin/which ixr, /usr/bin/tr ixr, + @{PROC}/ r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/status r, + @{PROC}/filesystems r, + @{PROC}/sys/vm/overcommit_memory r, + # prevent crash LP: #1931602 + /sys/devices/pci[0-9]*/**/{uevent,resource,irq,class} r, + /sys/devices/platform/**/uevent r, + /sys/devices/pci*/**/{busnum,idVendor,idProduct} r, + /sys/devices/pci*/**/{,subsystem_}device r, + /sys/devices/pci*/**/{,subsystem_}vendor r, + /sys/devices/system/node/node[0-9]*/meminfo r, + owner @{HOME}/.cache/thumbnails/** rw, /etc/mtab r, /etc/fstab r, @@ -83,9 +154,15 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} { owner @{PROC}/@{pid}/auxv r, /etc/lsb-release r, /usr/bin/expr ix, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/** r, + + # about:memory + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/smaps r, # Needed for container to work in xul builds - /usr/lib/xulrunner-*/plugin-container ixr, + @{MOZ_LIBDIR}/plugin-container ixr, # Make browsing directories work / r, @@ -109,7 +186,112 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} { owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k, owner @{HOME}/.{firefox,mozilla}/plugins/** rm, owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm, - owner @{HOME}/.gnome2/firefox*-bin-* rw, + owner @{HOME}/.gnome2/firefox* rwk, + owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw, + owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw, + owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite k, + owner @{HOME}/.config/gtk-3.0/bookmarks r, + owner @{HOME}/.config/dconf/user w, + owner /{,var/}run/user/*/dconf/user w, + dbus (send) + bus=session + path=/org/gnome/GConf/Server + member=GetDefaultDatabase + peer=(label=unconfined), + dbus (send) + bus=session + path=/org/gnome/GConf/Database/* + member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify} + peer=(label=unconfined), + dbus (send) + bus=session + path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=ListMountableInfo + peer=(label=unconfined), + + # Allow access to xdg-desktop-portal and xdg-document-portal (LP: #1974449) + dbus (receive, send) + bus=session + interface=org.freedesktop.portal.* + path=/org/freedesktop/portal/{desktop,documents}{,/**} + peer=(label=unconfined), + + dbus (receive, send) + bus=session + interface=org.freedesktop.DBus.Properties + path=/org/freedesktop/portal/{desktop,documents}{,/**} + peer=(label=unconfined), + + # Allow remote control when running on Wayland + dbus (send) + bus=session + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName + peer=(name=org.freedesktop.DBus), + dbus (bind) + bus=session + name=org.mozilla.firefox.*, + dbus (send, receive) + bus=session + path=/org/mozilla/firefox/Remote + interface=org.mozilla.firefox + member=OpenURL + peer=(label=firefox), + + # gnome-session + dbus (send) + bus=session + path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(label=unconfined), + + # unity screen API + dbus (send) + bus=system + interface="org.freedesktop.DBus.Introspectable" + path="/com/canonical/Unity/Screen" + member="Introspect" + peer=(label=unconfined), + dbus (send) + bus=system + interface="com.canonical.Unity.Screen" + path="/com/canonical/Unity/Screen" + member={keepDisplayOn,removeDisplayOnRequest} + peer=(label=unconfined), + + # freedesktop.org ScreenSaver + dbus (send) + bus=session + path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit,SimulateUserActivity} + peer=(label=unconfined), + + # gnome, kde and cinnamon screensaver + dbus (send) + bus=session + path=/{,ScreenSaver} + interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver} + member=SimulateUserActivity + peer=(label=unconfined), + + # UPower + dbus (send) + bus=system + path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=EnumerateDevices + peer=(label=unconfined), + + # File browser + dbus (send) + bus=session + interface=org.freedesktop.FileManager1 + path=/org/freedesktop/FileManager1 + member=ShowItems, # # Extensions @@ -117,7 +299,7 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} { # Allow 'x' for downloaded extensions, but inherit policy for safety owner @{HOME}/.mozilla/**/extensions/** mixr, - deny /usr/lib/firefox{,-[0-9]*}/update.test w, + deny @{MOZ_LIBDIR}/update.test w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/xulrunner-addons/extensions/**/ w, deny /usr/share/mozilla/extensions/**/ w, @@ -127,6 +309,19 @@ profile firefox /usr/lib/firefox{,-[0-9]*}/firefox{,*[^s][^h]} { ptrace (trace) peer=@{profile_name}, @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m, + # Miscellaneous (to be abstracted) + # Ideally these would use a child profile. They are all ELF executables + # so running with 'Ux', while not ideal, is ok because we will at least + # benefit from glibc's secure execute. + /usr/bin/mkfifo Uxr, # investigate + /bin/ps Uxr, + /bin/uname Uxr, + + /usr/bin/lsb_release Pxr -> lsb_release, + + # Addons + include if exists + # Site-specific additions and overrides. See local/README for details. include if exists include if exists