diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 1aee6b81..a5e240d9 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -24,6 +24,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -173,6 +174,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/@{firefox_name}/{,**} r, /etc/fstab r, + /etc/cups/client.conf r, /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, /etc/mailcap r, @@ -183,10 +185,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /var/lib/nscd/services r, owner @{HOME}/ r, + owner @{HOME}/.cups/lpoptions r, owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/gstreamer-@{int}/ rw, - owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp*} rw, owner @{user_config_dirs}/ r, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, @@ -240,7 +241,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/card@{int}/ r, @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/irq r, - @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index[0-9]/size r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, @{sys}/devices/system/cpu/present r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 6a0f44ef..7db351c1 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -19,6 +19,7 @@ profile firefox-glxtest @{exec_path} { include include include + include @{exec_path} mr, @@ -26,12 +27,8 @@ profile firefox-glxtest @{exec_path} { owner /tmp/firefox/.parentlock rw, - owner /tmp/xauth_@{rand6} r, - - owner @{run}/user/@{uid}/xauth_@{rand6} r, - @{sys}/bus/pci/devices/ r, - @{sys}/devices/pci[0-9]*/**/class r, + @{sys}/devices/@{pci}/class r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 79fd9dc5..812db1cf 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -16,21 +16,30 @@ profile firefox-kmozillahelper @{exec_path} { include include include + include ptrace (read) peer=firefox, @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* rm, + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/knotifications5/*.notifyrc r, /usr/share/kservices5/{,**} r, /usr/share/mime/ r, + /usr/share/sounds/{,**} r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, /etc/xdg/menus/ r, /etc/xdg/menus/applications-merged/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, + owner @{user_cache_dirs}/icon-cache.kcache rw, owner @{user_cache_dirs}/ksycoca5_* r, @@ -38,11 +47,18 @@ profile firefox-kmozillahelper @{exec_path} { owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kmozillahelperrc r, + owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, owner @{user_config_dirs}/kwinrc r, + owner @{user_share_dirs}/RecentDocuments/ r, + owner @{user_share_dirs}/RecentDocuments/*.desktop w, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} l, + + owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/mountinfo r, /dev/tty r,