From 7b09b8c99a3368446939854563fbc30cfa5e095f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 3 Mar 2022 21:22:17 +0000 Subject: [PATCH] browser: add security key support & re-format the profiles. --- apparmor.d/abstractions/chromium-common | 2 +- apparmor.d/groups/browsers/chrome-gnome-shell | 2 +- apparmor.d/groups/browsers/chromium | 51 +++--- .../browsers/chromium-chrome-crashpad-handler | 9 +- .../groups/browsers/chromium-chrome-sandbox | 16 +- apparmor.d/groups/browsers/chromium-chromium | 154 +++++++----------- apparmor.d/groups/browsers/firefox | 149 ++++++++--------- .../groups/browsers/firefox-crashreporter | 51 +++--- .../groups/browsers/firefox-minidump-analyzer | 18 +- apparmor.d/groups/browsers/firefox-pingsender | 9 +- .../groups/browsers/firefox-plugin-container | 9 +- 11 files changed, 198 insertions(+), 272 deletions(-) diff --git a/apparmor.d/abstractions/chromium-common b/apparmor.d/abstractions/chromium-common index 81047af0..a9c26ac5 100644 --- a/apparmor.d/abstractions/chromium-common +++ b/apparmor.d/abstractions/chromium-common @@ -29,7 +29,7 @@ /dev/shm/ r, owner /dev/shm/.org.chromium.Chromium.* rw, - owner @{HOME}/.local/share/.org.chromium.Chromium.* rw, + owner @{user_share_dirs}/.org.chromium.Chromium.* rw, # Should this be read-only? (##FIXME##) # To remove the following error: diff --git a/apparmor.d/groups/browsers/chrome-gnome-shell b/apparmor.d/groups/browsers/chrome-gnome-shell index 2e45ec85..83947a43 100644 --- a/apparmor.d/groups/browsers/chrome-gnome-shell +++ b/apparmor.d/groups/browsers/chrome-gnome-shell @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/chrome-gnome-shell profile chrome-gnome-shell @{exec_path} { include + include include include include @@ -25,7 +26,6 @@ profile chrome-gnome-shell @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium index 23621a72..d0dbb375 100644 --- a/apparmor.d/groups/browsers/chromium +++ b/apparmor.d/groups/browsers/chromium @@ -1,15 +1,12 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium -@{CHROMIUM_HOMEDIR} = @{user_config_dirs}/chromium -@{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium - @{exec_path} = /{usr/,}bin/chromium profile chromium @{exec_path} flags=(attach_disconnected) { include @@ -17,44 +14,38 @@ profile chromium @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{CHROMIUM_INSTALLDIR}/chromium rPx, + /{usr/,}lib/chromium/chromium rPx, /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/uname rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/expr rix, /{usr/,}bin/cat rix, - /{usr/,}bin/rm rix, /{usr/,}bin/cut rix, - /{usr/,}bin/tr rix, + /{usr/,}bin/expr rix, /{usr/,}bin/ls rix, /{usr/,}bin/mktemp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/tr rix, + /{usr/,}bin/uname rix, - # For chromium -g /{usr/,}bin/gdb rPUx, - - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - owner /tmp/chromiumargs.?????? rw, - - # For a temp profile - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, - - # For "chromium --help" - /{usr/,}bin/man rPUx, - /{usr/,}bin/sed rix, - - /etc/chromium.d/{,*} r, - - /etc/debian_version r, + /{usr/,}bin/man rPUx, /usr/share/chromium/extensions/ r, - # file_inherit - owner /dev/tty[0-9]* rw, + /etc/chromium.d/{,*} r, + /etc/debian_version r, + owner @{HOME}/.xsession-errors w, - /dev/dri/card[0-9] rw, + + owner /tmp/chromiumargs.?????? rw, + owner /tmp/tmp.*/ rw, + owner /tmp/tmp.*/** rwk, + + owner /dev/tty[0-9]* rw, + /dev/dri/card[0-9] rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler b/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler index a60ed295..8f7606a6 100644 --- a/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler +++ b/apparmor.d/groups/browsers/chromium-chrome-crashpad-handler @@ -1,16 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium -@{CHROMIUM_HOMEDIR} = @{HOME}/.config/chromium -@{CHROMIUM_CACHEDIR} = @{HOME}/.cache/chromium - -@{exec_path} = @{CHROMIUM_INSTALLDIR}/chrome_crashpad_handler +@{exec_path} = /{usr/,}lib/chromium/chrome_crashpad_handler profile chromium-chrome-crashpad-handler @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/browsers/chromium-chrome-sandbox b/apparmor.d/groups/browsers/chromium-chrome-sandbox index 9c85879c..bf38f356 100644 --- a/apparmor.d/groups/browsers/chromium-chrome-sandbox +++ b/apparmor.d/groups/browsers/chromium-chrome-sandbox @@ -1,33 +1,25 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium -@{CHROMIUM_HOMEDIR} = @{user_config_dirs}/chromium -@{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium - -@{exec_path} = @{CHROMIUM_INSTALLDIR}/chrome-sandbox - +@{exec_path} = /{usr/,}lib/chromium/chrome-sandbox profile chromium-chrome-sandbox @{exec_path} { include - # For kernel unprivileged user namespaces capability sys_admin, capability sys_chroot, capability setuid, capability setgid, - capability dac_override, - - # optional capability sys_resource, @{exec_path} mr, - @{CHROMIUM_INSTALLDIR}/chromium rPx, + /{usr/,}lib/chromium/chromium rPx, @{PROC}/@{pids}/ r, deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 8a101064..fe5f54a7 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Warning: Such a profile is limitted as it gives access to a lot of resources. @@ -9,44 +9,32 @@ abi , include -@{CHROMIUM_INSTALLDIR} = /{usr/,}lib/chromium -@{CHROMIUM_HOMEDIR} = @{user_config_dirs}/chromium -@{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium - -@{exec_path} = @{CHROMIUM_INSTALLDIR}/chromium +@{exec_path} = /{usr/,}lib/chromium/chromium profile chromium-chromium @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include - include include + include + include + include + include + include + include + include + include + include + include + include include include - include - include - include - include capability sys_ptrace, - ptrace (read) peer=chrome-gnome-shell, - - # The following rules are needed only when the kernel.unprivileged_userns_clone option is set - # to "1". - capability sys_admin, - capability sys_chroot, - owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/uid_map w, - - ptrace (trace) peer=@{profile_name}, ptrace (read) peer=browserpass, + ptrace (read) peer=chrome-gnome-shell, ptrace (read) peer=keepassxc-proxy, ptrace (read) peer=lsb_release, ptrace (read) peer=xdg-settings, + ptrace (trace) peer=@{profile_name}, signal (send) set=(term, kill) peer=keepassxc-proxy, signal (receive) peer=chromium-chrome-crashpad-handler, @@ -59,51 +47,51 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - /{usr/,}bin/chrome-gnome-shell rPx, - @{CHROMIUM_INSTALLDIR}/chrome-sandbox rPx, - @{CHROMIUM_INSTALLDIR}/chrome_crashpad_handler rPx, + /{usr/,}bin/chrome-gnome-shell rPx, + /{usr/,}lib/chromium/chrome-sandbox rPx, + /{usr/,}lib/chromium/chrome_crashpad_handler rPx, # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, /{usr/,}bin/browserpass rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/xdg-desktop-menu rPx, + /{usr/,}bin/xdg-icon-resource rPx, /{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-settings rPx, - /{usr/,}bin/xdg-desktop-menu rPx, - /{usr/,}bin/xdg-icon-resource rPx, - # Chromium files /usr/share/chromium/{,**} r, - - # Chrome extensions (for Debian) + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, - /usr/share/mozilla/extensions/{,**} r, - - /etc/libva.conf r, /etc/chromium/ r, /etc/chromium/master_preferences r, /etc/chromium/native-messaging-hosts/*.json r, + /etc/fstab r, + /etc/libva.conf r, + /etc/opensc.conf r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, - # Chromium home files owner @{HOME}/ r, - owner @{user_share_dirs}/ r, + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/chromium/ rw, + owner @{user_config_dirs}/chromium/** rwk, + owner @{user_config_dirs}/chromium/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{CHROMIUM_HOMEDIR}/ rw, - owner @{CHROMIUM_HOMEDIR}/** rwk, - owner @{CHROMIUM_HOMEDIR}/WidevineCdm/*/_platform_specific/linux_*/libwidevinecdm.so mrw, - owner @{user_share_dirs}/.org.chromium.Chromium.* rw, - - # Cache files owner @{user_cache_dirs}/ rw, - owner @{CHROMIUM_CACHEDIR}/{,**/} rw, - owner @{CHROMIUM_CACHEDIR}/*/**/{*-,}index rw, - owner @{CHROMIUM_CACHEDIR}/*/**/[a-f0-9]*_? rw, - owner @{CHROMIUM_CACHEDIR}/*/**/todelete_* rw, + owner @{user_cache_dirs}/chromium/{,**/} rw, + owner @{user_cache_dirs}/chromium/*/**/{*-,}index rw, + owner @{user_cache_dirs}/chromium/*/**/[a-f0-9]*_? rw, + owner @{user_cache_dirs}/chromium/*/**/todelete_* rw, + + owner @{user_share_dirs}/ r, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -115,27 +103,20 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, # owner @{HOME}/.mozilla/firefox/*/logins.json r, - /etc/fstab r, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner /tmp/tmp.*/ rw, + owner /tmp/tmp.*/** rwk, + owner /tmp/scoped_dir*/{,**} rw, - # Needed or chromium gets crash with the following error: - # FATAL:sandbox_linux.cc(172)] Check failed: proc_fd_ >= 0 (-1 vs. 0) @{PROC}/ r, - # @{PROC}/vmstat r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - # To remove the following error: - # Failed to adjust OOM score of renderer with pid : Permission denied owner @{PROC}/@{pid}/oom_{,score_}adj rw, - # deny @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/environ r, owner @{PROC}/@{pids}/task/ r, @@ -145,60 +126,43 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - # To remove the following error: - # file_path_watcher_linux.cc(71)] Failed to read /proc/sys/fs/inotify/max_user_watches @{PROC}/sys/fs/inotify/max_user_watches r, - # owner @{PROC}/@{pids}/clear_refs w, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + @{run}/udev/data/* r, - # Udev enumeration @{sys}/bus/ r, @{sys}/bus/**/devices/ r, - @{sys}/devices/**/uevent r, @{sys}/class/ r, @{sys}/class/**/ r, - @{run}/udev/data/* r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, - - deny @{sys}/devices/virtual/tty/tty[0-9]/active r, - + @{sys}/devices/**/uevent r, @{sys}/devices/pci[0-9]*/**/irq r, - @{sys}/devices/pci[0-9]*/**/usb[0-9]*/**/report_descriptor r, + @{sys}/devices/pci[0-9]*/**/report_descriptor r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, @{sys}/devices/virtual/**/report_descriptor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - # For the temp profile - owner /tmp/tmp.*/ rw, - owner /tmp/tmp.*/** rwk, + deny @{sys}/devices/virtual/tty/tty[0-9]/active r, - # Silencer - deny @{CHROMIUM_INSTALLDIR}/** w, - deny @{user_share_dirs}/gvfs-metadata/* r, + /dev/ r, + /dev/video[0-9]* rw, + /dev/hidraw[0-9]* rw, # file_inherit owner /dev/tty[0-9]* rw, - # Video support - /dev/ r, - /dev/video[0-9]* rw, - @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r, - - /etc/opensc.conf r, - - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, + # Silencer + deny /{usr/,}lib/chromium/** w, + deny @{user_share_dirs}/gvfs-metadata/* r, profile open { include - include include + include /{usr/,}bin/xdg-open mr, @@ -207,13 +171,13 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, + # Allowed apps to open + /{usr/,}bin/smplayer rPx, + owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, - # Allowed apps to open - /{usr/,}bin/smplayer rPx, - # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index fef15987..8dddb7cc 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2015-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2015-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Warning: Such a profile is limitted as it gives access to a lot of resources. @@ -11,7 +11,6 @@ include @{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} @{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr} profile firefox @{exec_path} flags=(attach_disconnected) { include @@ -33,9 +32,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include - # Needed only when the kernel.unprivileged_userns_clone option is set to "1". - capability sys_admin, - capability sys_chroot, + capability sys_admin, # If kernel.unprivileged_userns_clone = 1 + capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 ptrace peer=@{profile_name}, @@ -59,11 +57,12 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{MOZ_LIBDIR}/pingsender rPx, @{MOZ_LIBDIR}/plugin-container rPx, - @{libexec}/gvfsd-metadata rPx -> gvfsd-metadata, + @{libexec}/gvfsd-metadata rPx, /{usr/,}bin/browserpass rPx, /{usr/,}bin/gpa rPUx, /{usr/,}bin/keepassxc-proxy rPUx, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/update-mime-database rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, # Allowed apps to open @@ -83,14 +82,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/vlc rPx, /{usr/,}bin/xarchiver rPx, + /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/mozilla/plugins/ r, /{usr/,}lib/mozilla/plugins/libvlcplugin.so mr, + /usr/share/doc/{,**} r, /usr/share/egl/{,**} r, /usr/share/firefox/{,**} r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mozilla/extensions/{,**} r, /usr/share/webext/{,**} r, + /usr/share/xul-ext/kwallet5/* r, /etc/firefox/{,**} r, /etc/fstab r, @@ -98,6 +100,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /etc/mailcap r, /etc/mime.types r, /etc/opensc.conf r, + /etc/xul-ext/kwallet5.js r, /var/lib/dbus/machine-id r, /etc/machine-id r, @@ -113,60 +116,22 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{MOZ_HOMEDIR}/firefox/*/** rwk, owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, - owner @{MOZ_CACHEDIR}/ rw, - owner @{MOZ_CACHEDIR}/** rwk, + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/mimeapps.list{,.*} rw, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + owner @{user_cache_dirs}/mozilla/ rw, + owner @{user_cache_dirs}/mozilla/** rwk, owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - - @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - deny @{sys}/devices/system/cpu/present r, - deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, - - # For Cryptographic Attestation of Personhood - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{run}/udev/data/c241:[0-9]* r, # dynamic - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/comm r, - deny owner @{PROC}/@{pid}/stat r, - deny owner @{PROC}/@{pids}/cmdline r, - deny owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pid}/task/ r, - deny owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny owner @{PROC}/@{pid}/statm r, - deny owner @{PROC}/@{pid}/smaps r, - @{PROC}/@{pid}/net/arp r, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/route r, - - # Set default browser - /{usr/,}bin/update-mime-database rPx, - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, - # KDE system keyring - /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, - /usr/share/xul-ext/kwallet5/* r, - /etc/xul-ext/kwallet5.js r, - - # For wayland - owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, /var/tmp/ r, /tmp/ r, @@ -179,19 +144,45 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner /tmp/mozilla_*/* rw, owner /tmp/Temp-*/ rw, - deny /dev/ r, - deny /dev/shm/ r, - owner /dev/shm/org.chromium.* rw, - owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw, + @{run}/udev/data/* r, - # Needed only when the kernel.unprivileged_userns_clone option is set to "1". - owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/uid_map w, + @{sys}/bus/ r, + @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r, + @{sys}/class/ r, + @{sys}/class/**/ r, + @{sys}/devices/**/uevent r, + @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, + deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, + deny @{sys}/devices/system/cpu/present r, - # File Inherit - owner /dev/tty[0-9]* rw, - owner /dev/dri/card[0-9]* rw, + @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/if_inet6 r, + @{PROC}/@{pid}/net/route r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/comm r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 + deny owner @{PROC}/@{pid}/smaps r, + deny owner @{PROC}/@{pid}/stat r, + deny owner @{PROC}/@{pid}/statm r, + deny owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny owner @{PROC}/@{pids}/cmdline r, + deny owner @{PROC}/@{pids}/environ r, + + /dev/ r, + /dev/hidraw[0-9]* rw, + owner /dev/dri/card[0-9]* rw, # File Inherit + owner /dev/shm/org.chromium.* rw, + owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw, + owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw, + owner /dev/tty[0-9]* rw, # File Inherit + deny /dev/shm/ r, # Silencer deny /{usr/,}lib/firefox/** w, @@ -211,26 +202,26 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, + # Allowed apps to open + /{usr/,}bin/engrampa rPx, + /{usr/,}bin/evince rPx, + /{usr/,}bin/geany rPx, + /{usr/,}bin/okular rPx, + /{usr/,}bin/qbittorrent rPx, + /{usr/,}bin/qpdfview rPx, + /{usr/,}bin/smplayer rPx, + /{usr/,}bin/spacefm rPx, + /{usr/,}bin/telegram-desktop rPx, + /{usr/,}bin/thunderbird rPx, + /{usr/,}bin/viewnior rPUx, + /{usr/,}bin/vlc rPx, + /{usr/,}bin/xarchiver rPx, + /usr/share/xfce4/exo/exo-compose-mail rPx, + owner @{HOME}/ r, owner @{run}/user/@{uid}/ r, - # Allowed apps to open - /{usr/,}bin/engrampa rPx, - /{usr/,}bin/evince rPx, - /{usr/,}bin/geany rPx, - /{usr/,}bin/okular rPx, - /{usr/,}bin/qbittorrent rPx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/smplayer rPx, - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/telegram-desktop rPx, - /{usr/,}bin/thunderbird rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/vlc rPx, - /{usr/,}bin/xarchiver rPx, - /usr/share/xfce4/exo/exo-compose-mail rPx, - # file_inherit owner @{HOME}/.xsession-errors w, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 115c6336..0cb2b51f 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -1,25 +1,25 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{MOZ_LIBDIR} = /{usr/,}lib/firefox @{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla -@{exec_path} = @{MOZ_LIBDIR}/crashreporter +@{exec_path} = /{usr/,}lib/firefox/crashreporter profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { include - include - include - include - include - include + include include + include + include + include + include include + include signal (receive) set=(term, kill) peer=firefox, @@ -30,42 +30,39 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{MOZ_LIBDIR}/minidump-analyzer rPx, + /{usr/,}lib/firefox/minidump-analyzer rPx, /{usr/,}bin/mv rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/X11/xkb/** r, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/{,**}" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/crashreporter.ini" rw, - owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/events/[0-9a-f]*" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/[0-9a-f]*.{dmp,extra}" rw, - - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/{,**} rw, - owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, + owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/submit.log" rw, owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/{,**} rw, owner @{MOZ_HOMEDIR}/firefox/*.*/crashes/events/@{uuid} rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r, + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/{,**} rw, + owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, - /tmp/ r, - owner /tmp/[0-9a-f]*.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, - /var/tmp/ r, + owner @{user_cache_dirs}/mozilla/firefox/*.*/** r, - owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, - - include owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + /tmp/ r, + /var/tmp/ r, + owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/firefox/.parentlock w, - /usr/share/X11/xkb/** r, + owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, - # file_inherit - owner @{MOZ_CACHEDIR}/firefox/*.*/** r, - owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r, - /dev/dri/renderD128 rw, /dev/dri/card[0-9]* rw, + /dev/dri/renderD128 rw, include if exists } diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer index af60b617..b9b9c33e 100644 --- a/apparmor.d/groups/browsers/firefox-minidump-analyzer +++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer @@ -1,14 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{MOZ_LIBDIR} = /{usr/,}lib/firefox @{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla @{exec_path} = /{usr/,}lib/firefox/minidump-analyzer profile firefox-minidump-analyzer @{exec_path} { @@ -18,8 +17,8 @@ profile firefox-minidump-analyzer @{exec_path} { @{exec_path} mr, - owner /tmp/[0-9a-f]*.{dmp,extra} rw, - owner /tmp/firefox/.parentlock w, + owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r, + owner @{HOME}/.xsession-errors w, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw, owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/pending/" rw, @@ -28,12 +27,13 @@ profile firefox-minidump-analyzer @{exec_path} { owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/ rw, owner @{MOZ_HOMEDIR}/firefox/*.*/minidumps/@{uuid}.{dmp,extra} rw, + owner @{user_cache_dirs}/mozilla/firefox/*.*/startupCache/*Cache* r, + + owner /tmp/[0-9a-f]*.{dmp,extra} rw, + owner /tmp/firefox/.parentlock w, + owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* r, - # file_inherit - owner @{MOZ_CACHEDIR}/firefox/*.*/startupCache/*Cache* r, - owner @{HOME}/.xsession-errors w, - owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r, /dev/dri/renderD128 rw, include if exists diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender index 38dccd40..7804b110 100644 --- a/apparmor.d/groups/browsers/firefox-pingsender +++ b/apparmor.d/groups/browsers/firefox-pingsender @@ -1,16 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{MOZ_LIBDIR} = /{usr/,}lib/firefox -@{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla - -@{exec_path} = @{MOZ_LIBDIR}/pingsender +@{exec_path} = /{usr/,}lib/firefox/pingsender profile firefox-pingsender @{exec_path} { include include diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container index d4074ccc..7827c3fe 100644 --- a/apparmor.d/groups/browsers/firefox-plugin-container +++ b/apparmor.d/groups/browsers/firefox-plugin-container @@ -1,16 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} -@{MOZ_HOMEDIR} = @{HOME}/.mozilla -@{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla - -@{exec_path} = @{MOZ_LIBDIR}/plugin-container +@{exec_path} = /{usr/,}lib/firefox{,-esr}/plugin-container profile firefox-plugin-container @{exec_path} { include