From db35aa9249837a291eafecc89fc9c35ac206055c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 12 Jul 2023 21:59:13 +0100
Subject: [PATCH] feat(profiles): add firefox  glxtest & vaapitest profiles.

---
 apparmor.d/groups/browsers/firefox            |  4 +--
 apparmor.d/groups/browsers/firefox-glxtest    | 33 +++++++++++++++++++
 apparmor.d/groups/browsers/firefox-pingsender |  2 +-
 apparmor.d/groups/browsers/firefox-vaapitest  | 33 +++++++++++++++++++
 dists/flags/main.flags                        |  2 ++
 5 files changed, 71 insertions(+), 3 deletions(-)
 create mode 100644 apparmor.d/groups/browsers/firefox-glxtest
 create mode 100644 apparmor.d/groups/browsers/firefox-vaapitest

diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 2435cb09..962211bc 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -134,11 +134,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   @{firefox_lib_dirs}/{,**}             r,
   @{firefox_lib_dirs}/*.so              mr,
   @{firefox_lib_dirs}/crashreporter     rPx,
-  @{firefox_lib_dirs}/glxtest          rPUx,
+  @{firefox_lib_dirs}/glxtest           rPx,
   @{firefox_lib_dirs}/minidump-analyzer rPx,
   @{firefox_lib_dirs}/pingsender        rPx,
   @{firefox_lib_dirs}/plugin-container  rPx,
-  @{firefox_lib_dirs}/vaapitest        rPUx,
+  @{firefox_lib_dirs}/vaapitest         rPx,
   @{lib}/mozilla/kmozillahelper        rPUx,
 
   @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
new file mode 100644
index 00000000..6833b6d1
--- /dev/null
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{firefox_name} = firefox{,.sh,-esr,-bin}
+@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name}
+@{firefox_config_dirs} = @{HOME}/.mozilla/
+
+@{exec_path} = @{firefox_lib_dirs}/glxtest
+profile firefox-glxtest @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/opencl-nvidia>
+  include <abstractions/vulkan>
+
+  @{exec_path} mr,
+
+  owner @{firefox_config_dirs}/firefox/*/.parentlock rw,
+
+  owner /tmp/firefox/.parentlock rw,
+
+  @{sys}/bus/pci/devices/ r,
+  @{sys}/devices/pci[0-9]*/**/class r,
+
+  include if exists <local/firefox-glxtest>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender
index 9f0ba599..db4d0430 100644
--- a/apparmor.d/groups/browsers/firefox-pingsender
+++ b/apparmor.d/groups/browsers/firefox-pingsender
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{firefox_name} = firefox{,-esr}
+@{firefox_name} = firefox{,.sh,-esr,-bin}
 @{firefox_lib_dirs} = @{lib}/@{firefox_name}/ /opt/@{firefox_name}/
 @{firefox_config_dirs} = @{HOME}/.mozilla/
 
diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest
new file mode 100644
index 00000000..ce21b645
--- /dev/null
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{firefox_name} = firefox{,.sh,-esr,-bin}
+@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name}
+
+@{exec_path} = @{firefox_lib_dirs}/vaapitest
+profile firefox-vaapitest @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dri-enumerate>
+  include <abstractions/dri-common>
+  include <abstractions/nvidia>
+  include <abstractions/vulkan>
+
+  @{exec_path} mr,
+
+  /etc/igfx_user_feature{,_next}.txt w,
+  /etc/libva.conf r,
+
+  owner @{firefox_config_dirs}/firefox/*/.parentlock rw,
+  owner @{firefox_config_dirs}/firefox/*/startupCache/*Cache* r,
+
+  owner /tmp/firefox/.parentlock rw,
+
+  @{sys}/devices/pci[0-9]*/**/{irq,revision,resource} r,
+
+  include if exists <local/firefox-vaapitest>
+}
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index e1a435ba..d753505d 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -99,7 +99,9 @@ fail2ban-client attach_disconnected,complain
 fail2ban-server attach_disconnected,complain
 fdisk complain
 file-roller complain
+firefox-glxtest complain
 firefox-kmozillahelper complain
+firefox-vaapitest complain
 firewalld complain
 flatpak-session-helper complain
 fsck-ext4 complain