diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 44db67c2..c2cd3c8d 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -3,38 +3,36 @@ # Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Warning: Such a profile is limitted as it gives access to a lot of resources. - abi , include -@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} -@{MOZ_LIBDIR} += /opt/firefox{,-esr} -@{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{exec_path} = /{usr/,}bin/firefox @{MOZ_LIBDIR}/firefox{,-bin,-esr} +@{firefox_name} = firefox{,-esr} +@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/ +@{firefox_config_dirs} = @{HOME}/.mozilla/ +@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = /{usr/,}bin/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name} profile firefox @{exec_path} flags=(attach_disconnected) { include include + include + include + include include include - include include + include include include include include - include - include + include include include include include include - include - include - include - include capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 @@ -131,41 +129,41 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, - @{MOZ_LIBDIR}/{,**} r, - @{MOZ_LIBDIR}/*.so mr, - @{MOZ_LIBDIR}/crashreporter rPx, - @{MOZ_LIBDIR}/minidump-analyzer rPx, - @{MOZ_LIBDIR}/pingsender rPx, - @{MOZ_LIBDIR}/plugin-container rPx, - - @{libexec}/gvfsd-metadata rPx, - /{usr/,}bin/browserpass rPx, - /{usr/,}bin/gpa rPx, - /{usr/,}bin/keepassxc-proxy rPx, - /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/update-mime-database rPx, - /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - - # Allowed apps to open - /{usr/,}bin/exo-open rPx -> child-open, - /{usr/,}bin/xdg-open rPx -> child-open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - /{usr/,}lib/gio-launch-desktop rPx -> child-open, + @{firefox_lib_dirs}/{,**} r, + @{firefox_lib_dirs}/*.so mr, + @{firefox_lib_dirs}/crashreporter rPx, + @{firefox_lib_dirs}/minidump-analyzer rPx, + @{firefox_lib_dirs}/pingsender rPx, + @{firefox_lib_dirs}/plugin-container rPx, /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/mozilla/plugins/ r, /{usr/,}lib/mozilla/plugins/libvlcplugin.so mr, + # Desktop integration + @{libexec}/gvfsd-metadata rPx, + /{usr/,}bin/exo-open rPx -> child-open, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/update-mime-database rPx, + /{usr/,}bin/xdg-open rPx -> child-open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + /{usr/,}lib/gio-launch-desktop rPx -> child-open, + + # Common extensions + /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, + /{usr/,}bin/browserpass rPx, + /{usr/,}bin/keepassxc-proxy rPx, + /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, - /usr/share/firefox{,-esr}/{,**} r, + /usr/share/@{firefox_name}/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/libdrm/*.ids r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/firefox{,-esr}/{,**} r, + /etc/@{firefox_name}/{,**} r, /etc/fstab r, /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, @@ -174,100 +172,100 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/opensc.conf r, /etc/xul-ext/kwallet5.js r, - # gnome-tiny - @{run}/mount/utab r, - owner @{HOME}/ r, - owner @{MOZ_HOMEDIR}/ rw, - owner @{MOZ_HOMEDIR}/{extensions,systemextensionsdev}/ rw, - owner @{MOZ_HOMEDIR}/firefox/ rw, - owner @{MOZ_HOMEDIR}/firefox/installs.ini rw, - owner @{MOZ_HOMEDIR}/firefox/profiles.ini rw, - owner @{MOZ_HOMEDIR}/firefox/*/ rw, - owner @{MOZ_HOMEDIR}/firefox/*/** rwk, - owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, + owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, owner @{user_config_dirs}/ r, owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r, owner @{user_config_dirs}/mimeapps.list{,.*} rw, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, - owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, - owner @{user_cache_dirs}/mozilla/ rw, - owner @{user_cache_dirs}/mozilla/** rwk, - owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, - owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw, - /var/tmp/ r, + owner @{firefox_config_dirs}/ rw, + owner @{firefox_config_dirs}/{extensions,systemextensionsdev}/ rw, + owner @{firefox_config_dirs}/firefox/ rw, + owner @{firefox_config_dirs}/firefox/*/ rw, + owner @{firefox_config_dirs}/firefox/*/** rwk, + owner @{firefox_config_dirs}/firefox/installs.ini rw, + owner @{firefox_config_dirs}/firefox/profiles.ini rw, + owner @{firefox_config_dirs}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, + + owner @{firefox_cache_dirs}/ rw, + owner @{firefox_cache_dirs}/** rwk, + /tmp/ r, + /var/tmp/ r, owner /tmp/* rw, owner /tmp/firefox_*/ rw, owner /tmp/firefox_*/* rwk, - owner /tmp/firefox{,-esr}/ rw, - owner /tmp/firefox{,-esr}/* rwk, + owner /tmp/@{firefox_name}/ rw, + owner /tmp/@{firefox_name}/* rwk, owner /tmp/mozilla_*/ rw, owner /tmp/mozilla_*/* rw, owner /tmp/Temp-*/ rw, + @{run}/mount/utab r, @{run}/udev/data/* r, - @{sys}/bus/ r, - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, - @{sys}/class/ r, - @{sys}/class/**/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/pci[0-9]*/**/ r, - @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r, - @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, - @{sys}/devices/pci[0-9]*/**/irq r, - @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - deny @{sys}/devices/system/cpu/present r, + @{sys}/bus/ r, + @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/pci[0-9]*/**/ r, + @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r, + @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, + @{sys}/devices/pci[0-9]*/**/irq r, + @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, + @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/present r, + @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{PROC}/@{pid}/net/arp r, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/route r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj w, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 - deny owner @{PROC}/@{pid}/smaps r, - deny owner @{PROC}/@{pid}/stat r, - deny owner @{PROC}/@{pid}/statm r, - deny owner @{PROC}/@{pid}/task/@{tid}/stat r, - deny owner @{PROC}/@{pids}/cmdline r, - deny owner @{PROC}/@{pids}/environ r, + @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/route r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj w, + owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, - /dev/ r, - /dev/video[0-9]* rw, - /dev/hidraw[0-9]* rw, - owner /dev/dri/card[0-9]* rw, # File Inherit - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw, - owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, - owner /dev/tty[0-9]* rw, # File Inherit - deny /dev/shm/ r, + /dev/ r, + /dev/hidraw[0-9]* rw, + /dev/shm/ r, + /dev/tty rw, + /dev/video[0-9]* rw, + owner /dev/dri/card[0-9]* rw, # File Inherit + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw, + owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, + owner /dev/tty[0-9]* rw, # File Inherit # Silencer - deny @{MOZ_LIBDIR}/** w, - deny capability sys_ptrace, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - deny owner @{HOME}/.* r, - deny /tmp/MozillaUpdateLock-* w, + deny @{firefox_lib_dirs}/** w, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, + deny /tmp/MozillaUpdateLock-* w, + deny capability sys_ptrace, + deny owner @{HOME}/.* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists } diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 683f27a9..dac93e95 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -7,9 +7,12 @@ abi , include -@{MOZ_HOMEDIR} = @{HOME}/.mozilla +@{firefox_name} = firefox{,-esr} +@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/ +@{firefox_config_dirs} = @{HOME}/.mozilla/ +@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ -@{exec_path} = /{usr/,}lib/firefox/crashreporter +@{exec_path} = @{firefox_lib_dirs}/crashreporter profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include include @@ -30,26 +33,19 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}lib/firefox/minidump-analyzer rPx, + @{firefox_lib_dirs}/minidump-analyzer rPx, /{usr/,}bin/mv rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/X11/xkb/** r, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw, + owner "@{firefox_config_dirs}/firefox/Crash Reports/{,**}" rw, + owner @{firefox_config_dirs}/*.*/crashes/{,**} rw, + owner @{firefox_config_dirs}/*.*/extensions/*.xpi r, + owner @{firefox_config_dirs}/*.*/minidumps/{,**} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/@{uuid} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r, - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/{,**} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, - - owner @{user_cache_dirs}/mozilla/firefox/*.*/** r, + owner @{firefox_cache_dirs}/firefox/*.*/** r, /tmp/ r, /var/tmp/ r, diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index 77963126..9628ac38 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -9,7 +9,12 @@ include @{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{exec_path} = /{usr/,}lib/firefox/minidump-analyzer +@{firefox_name} = firefox{,-esr} +@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/ +@{firefox_config_dirs} = @{HOME}/.mozilla/ +@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{firefox_lib_dirs}/minidump-analyzer profile firefox-minidump-analyzer @{exec_path} { include @@ -17,17 +22,16 @@ profile firefox-minidump-analyzer @{exec_path} { @{exec_path} mr, - owner @{HOME}/.mozilla/firefox/*.*/extensions/*.xpi r, owner @{HOME}/.xsession-errors w, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, + owner "@{firefox_config_dirs}/firefox/Crash Reports/" rw, + owner "@{firefox_config_dirs}/firefox/Crash Reports/pending/" rw, + owner "@{firefox_config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, + owner @{firefox_config_dirs}/*.*/extensions/*.xpi r, + owner @{firefox_config_dirs}/*.*/minidumps/ rw, + owner @{firefox_config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, - - owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r, + owner @{firefox_cache_dirs}/firefox/*.*/startupCache/*Cache* r, owner /tmp/@{hex}.{dmp,extra} rw, owner /tmp/firefox/.parentlock w, diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 95cb1536..284e4dda 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -7,7 +7,11 @@ abi , include -@{exec_path} = /{usr/,}lib/firefox/pingsender +@{firefox_name} = firefox{,-esr} +@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/ +@{firefox_config_dirs} = @{HOME}/.mozilla/ + +@{exec_path} = @{firefox_lib_dirs}/pingsender profile firefox-pingsender @{exec_path} { include include @@ -18,7 +22,7 @@ profile firefox-pingsender @{exec_path} { @{exec_path} mr, - owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw, + owner @{firefox_config_dirs}/firefox/*.*/saved-telemetry-pings/@{uuid} rw, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container index 7827c3fe..6cde3e60 100644 --- a/apparmor.d/groups/browsers/firefox-plugin-container +++ b/apparmor.d/groups/browsers/firefox-plugin-container @@ -7,7 +7,10 @@ abi , include -@{exec_path} = /{usr/,}lib/firefox{,-esr}/plugin-container +@{firefox_name} = firefox{,-esr} +@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/ + +@{exec_path} = @{firefox_lib_dirs}/plugin-container profile firefox-plugin-container @{exec_path} { include