mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): rethink the firefox profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2023-02-04 19:43:05 +00:00
parent 6061d4981b
commit 222b57acb5
Failed to generate hash of commit
5 changed files with 135 additions and 130 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

204
apparmor.d/groups/browsers/firefox
View file

@ -3,38 +3,36 @@
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# Warning: Such a profile is limitted as it gives access to a lot of resources.
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} @{firefox_name} = firefox{,-esr}
@{MOZ_LIBDIR} += /opt/firefox{,-esr} @{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/
@{MOZ_HOMEDIR} = @{HOME}/.mozilla @{firefox_config_dirs} = @{HOME}/.mozilla/
@{exec_path} = /{usr/,}bin/firefox @{MOZ_LIBDIR}/firefox{,-bin,-esr} @{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = /{usr/,}bin/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name}
profile firefox @{exec_path} flags=(attach_disconnected) { profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dbus-gtk>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/enchant> include <abstractions/enchant>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl-intel> include <abstractions/opencl>
include <abstractions/opencl-nvidia>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/user-read> include <abstractions/user-read>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/wayland>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_admin, # If kernel.unprivileged_userns_clone = 1
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
@ -131,41 +129,41 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
@{MOZ_LIBDIR}/{,**} r, @{firefox_lib_dirs}/{,**} r,
@{MOZ_LIBDIR}/*.so mr, @{firefox_lib_dirs}/*.so mr,
@{MOZ_LIBDIR}/crashreporter rPx, @{firefox_lib_dirs}/crashreporter rPx,
@{MOZ_LIBDIR}/minidump-analyzer rPx, @{firefox_lib_dirs}/minidump-analyzer rPx,
@{MOZ_LIBDIR}/pingsender rPx, @{firefox_lib_dirs}/pingsender rPx,
@{MOZ_LIBDIR}/plugin-container rPx, @{firefox_lib_dirs}/plugin-container rPx,
@{libexec}/gvfsd-metadata rPx,
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/gpa rPx,
/{usr/,}bin/keepassxc-proxy rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/update-mime-database rPx,
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
# Allowed apps to open
/{usr/,}bin/exo-open rPx -> child-open,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/{usr/,}lib/mozilla/plugins/ r, /{usr/,}lib/mozilla/plugins/ r,
/{usr/,}lib/mozilla/plugins/libvlcplugin.so mr, /{usr/,}lib/mozilla/plugins/libvlcplugin.so mr,
# Desktop integration
@{libexec}/gvfsd-metadata rPx,
/{usr/,}bin/exo-open rPx -> child-open,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/update-mime-database rPx,
/{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
/{usr/,}lib/gio-launch-desktop rPx -> child-open,
# Common extensions
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/keepassxc-proxy rPx,
/usr/share/doc/{,**} r, /usr/share/doc/{,**} r,
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/firefox{,-esr}/{,**} r, /usr/share/@{firefox_name}/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/libdrm/*.ids r, /usr/share/libdrm/*.ids r,
/usr/share/mozilla/extensions/{,**} r, /usr/share/mozilla/extensions/{,**} r,
/usr/share/webext/{,**} r, /usr/share/webext/{,**} r,
/usr/share/xul-ext/kwallet5/* r, /usr/share/xul-ext/kwallet5/* r,
/etc/firefox{,-esr}/{,**} r, /etc/@{firefox_name}/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/igfx_user_feature{,_next}.txt w, /etc/igfx_user_feature{,_next}.txt w,
/etc/libva.conf r, /etc/libva.conf r,
@ -174,100 +172,100 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/etc/opensc.conf r, /etc/opensc.conf r,
/etc/xul-ext/kwallet5.js r, /etc/xul-ext/kwallet5.js r,
# gnome-tiny
@{run}/mount/utab r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{MOZ_HOMEDIR}/ rw, owner @{user_cache_dirs}/ rw,
owner @{MOZ_HOMEDIR}/{extensions,systemextensionsdev}/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{MOZ_HOMEDIR}/firefox/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{MOZ_HOMEDIR}/firefox/installs.ini rw,
owner @{MOZ_HOMEDIR}/firefox/profiles.ini rw,
owner @{MOZ_HOMEDIR}/firefox/*/ rw,
owner @{MOZ_HOMEDIR}/firefox/*/** rwk,
owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
owner @{user_config_dirs}/ r, owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r, owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{user_cache_dirs}/mozilla/ rw,
owner @{user_cache_dirs}/mozilla/** rwk,
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw,
/var/tmp/ r, owner @{firefox_config_dirs}/ rw,
owner @{firefox_config_dirs}/{extensions,systemextensionsdev}/ rw,
owner @{firefox_config_dirs}/firefox/ rw,
owner @{firefox_config_dirs}/firefox/*/ rw,
owner @{firefox_config_dirs}/firefox/*/** rwk,
owner @{firefox_config_dirs}/firefox/installs.ini rw,
owner @{firefox_config_dirs}/firefox/profiles.ini rw,
owner @{firefox_config_dirs}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
owner @{firefox_cache_dirs}/ rw,
owner @{firefox_cache_dirs}/** rwk,
/tmp/ r, /tmp/ r,
/var/tmp/ r,
owner /tmp/* rw, owner /tmp/* rw,
owner /tmp/firefox_*/ rw, owner /tmp/firefox_*/ rw,
owner /tmp/firefox_*/* rwk, owner /tmp/firefox_*/* rwk,
owner /tmp/firefox{,-esr}/ rw, owner /tmp/@{firefox_name}/ rw,
owner /tmp/firefox{,-esr}/* rwk, owner /tmp/@{firefox_name}/* rwk,
owner /tmp/mozilla_*/ rw, owner /tmp/mozilla_*/ rw,
owner /tmp/mozilla_*/* rw, owner /tmp/mozilla_*/* rw,
owner /tmp/Temp-*/ rw, owner /tmp/Temp-*/ rw,
@{run}/mount/utab r,
@{run}/udev/data/* r, @{run}/udev/data/* r,
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
@{sys}/class/ r, @{sys}/class/ r,
@{sys}/class/**/ r, @{sys}/class/**/ r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/devices/pci[0-9]*/**/ r, @{sys}/devices/pci[0-9]*/**/ r,
@{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/irq r, @{sys}/devices/pci[0-9]*/**/irq r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, @{sys}/devices/system/cpu/present r,
deny @{sys}/devices/system/cpu/present r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{PROC}/@{pid}/net/arp r, @{PROC}/@{pid}/net/arp r,
@{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/if_inet6 r,
@{PROC}/@{pid}/net/route r, @{PROC}/@{pid}/net/route r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/comm r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_score_adj w, owner @{PROC}/@{pid}/oom_score_adj w,
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/smaps r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/statm r,
deny owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/task/ r,
deny owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r,
deny owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
deny owner @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/cmdline r,
deny owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pids}/environ r,
/dev/ r, /dev/ r,
/dev/video[0-9]* rw, /dev/hidraw[0-9]* rw,
/dev/hidraw[0-9]* rw, /dev/shm/ r,
owner /dev/dri/card[0-9]* rw, # File Inherit /dev/tty rw,
owner /dev/shm/org.chromium.* rw, /dev/video[0-9]* rw,
owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw, owner /dev/dri/card[0-9]* rw, # File Inherit
owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, owner /dev/shm/org.chromium.* rw,
owner /dev/tty[0-9]* rw, # File Inherit owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
deny /dev/shm/ r, owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
owner /dev/tty[0-9]* rw, # File Inherit
# Silencer # Silencer
deny @{MOZ_LIBDIR}/** w, deny @{firefox_lib_dirs}/** w,
deny capability sys_ptrace,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
deny owner @{HOME}/.* r,
deny /tmp/MozillaUpdateLock-* w,
deny @{run}/user/@{uid}/gnome-shell-disable-extensions w, deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,
deny /tmp/MozillaUpdateLock-* w,
deny capability sys_ptrace,
deny owner @{HOME}/.* r,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
include if exists <local/firefox> include if exists <local/firefox>
} }

26
apparmor.d/groups/browsers/firefox-crashreporter
View file

@ -7,9 +7,12 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{MOZ_HOMEDIR} = @{HOME}/.mozilla @{firefox_name} = firefox{,-esr}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = /{usr/,}lib/firefox/crashreporter @{exec_path} = @{firefox_lib_dirs}/crashreporter
profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
@ -30,26 +33,19 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/{usr/,}lib/firefox/minidump-analyzer rPx, @{firefox_lib_dirs}/minidump-analyzer rPx,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/X11/xkb/** r, /usr/share/X11/xkb/** r,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw, owner "@{firefox_config_dirs}/firefox/Crash Reports/{,**}" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw, owner @{firefox_config_dirs}/*.*/crashes/{,**} rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/@{hex}" rw, owner @{firefox_config_dirs}/*.*/extensions/*.xpi r,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, owner @{firefox_config_dirs}/*.*/minidumps/{,**} rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw,
owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw, owner @{firefox_cache_dirs}/firefox/*.*/** r,
owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/@{uuid} rw,
owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r,
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/{,**} rw,
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,
owner @{user_cache_dirs}/mozilla/firefox/*.*/** r,
/tmp/ r, /tmp/ r,
/var/tmp/ r, /var/tmp/ r,

22
apparmor.d/groups/browsers/firefox-minidump-analyzer
View file

@ -9,7 +9,12 @@ include <tunables/global>
@{MOZ_HOMEDIR} = @{HOME}/.mozilla @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@{exec_path} = /{usr/,}lib/firefox/minidump-analyzer @{firefox_name} = firefox{,-esr}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{firefox_cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = @{firefox_lib_dirs}/minidump-analyzer
profile firefox-minidump-analyzer @{exec_path} { profile firefox-minidump-analyzer @{exec_path} {
include <abstractions/base> include <abstractions/base>
@ -17,17 +22,16 @@ profile firefox-minidump-analyzer @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/.mozilla/firefox/*.*/extensions/*.xpi r,
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw, owner "@{firefox_config_dirs}/firefox/Crash Reports/" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw, owner "@{firefox_config_dirs}/firefox/Crash Reports/pending/" rw,
owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw, owner "@{firefox_config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
owner @{firefox_config_dirs}/*.*/extensions/*.xpi r,
owner @{firefox_config_dirs}/*.*/minidumps/ rw,
owner @{firefox_config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw,
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw, owner @{firefox_cache_dirs}/firefox/*.*/startupCache/*Cache* r,
owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw,
owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r,
owner /tmp/@{hex}.{dmp,extra} rw, owner /tmp/@{hex}.{dmp,extra} rw,
owner /tmp/firefox/.parentlock w, owner /tmp/firefox/.parentlock w,

8
apparmor.d/groups/browsers/firefox-pingsender
View file

@ -7,7 +7,11 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/firefox/pingsender @{firefox_name} = firefox{,-esr}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/
@{firefox_config_dirs} = @{HOME}/.mozilla/
@{exec_path} = @{firefox_lib_dirs}/pingsender
profile firefox-pingsender @{exec_path} { profile firefox-pingsender @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -18,7 +22,7 @@ profile firefox-pingsender @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw, owner @{firefox_config_dirs}/firefox/*.*/saved-telemetry-pings/@{uuid} rw,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,

5
apparmor.d/groups/browsers/firefox-plugin-container
View file

@ -7,7 +7,10 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/firefox{,-esr}/plugin-container @{firefox_name} = firefox{,-esr}
@{firefox_lib_dirs} = /{usr/,}lib{,32,64}/@{firefox_name}/ /opt/@{firefox_name}/
@{exec_path} = @{firefox_lib_dirs}/plugin-container
profile firefox-plugin-container @{exec_path} { profile firefox-plugin-container @{exec_path} {
include <abstractions/base> include <abstractions/base>