diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index c5aa0bb1..7ffcae77 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -58,7 +58,7 @@ profile chromium-chromium @{exec_path} { # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, - /{usr/,}bin/browserpass rUx, + /{usr/,}bin/browserpass rPx, /{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/xdg-mime rPUx, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 6bc030ea..369bfb4b 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -166,7 +166,7 @@ profile firefox @{exec_path} { /{usr/,}bin/gpa rPUx, /{usr/,}bin/keepassxc-proxy rPUx, # For storing passwords externally - /{usr/,}bin/browserpass rUx, + /{usr/,}bin/browserpass rPx, /{usr/,}bin/lsb_release rPx -> child-lsb_release, diff --git a/apparmor.d/profiles-a-l/browserpass b/apparmor.d/profiles-a-l/browserpass new file mode 100644 index 00000000..9e6175c3 --- /dev/null +++ b/apparmor.d/profiles-a-l/browserpass @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/browserpass +profile browserpass @{exec_path} { + include + include + + deny network inet6 stream, + deny network inet stream, + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/gpg rUx, + + owner @{HOME}/.password-store/{,**} r, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r, + owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +}