feat(profile): firefox: handle nnp with keepassxc-proxy.

2024-12-27 07:27:24 +01:00 · 2024-09-20 23:34:03 +01:00 · 2024-09-20 23:34:03 +01:00 · e15bdcc9ad
commit e15bdcc9ad
parent 8979d84633
3 changed files with 7 additions and 8 deletions
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -105,8 +105,6 @@
  owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

-  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
-
  @{run}/mount/utab r,

  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -19,7 +19,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/user-download-strict>
  include <abstractions/user-read-strict>

-  signal (send) set=(term, kill) peer=keepassxc-proxy,
+  signal send set=(term, kill) peer=firefox//&keepassxc-proxy,

  #aa:dbus own bus=session name=org.mozilla.firefox
  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2
@ -46,8 +46,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  # Common extensions
  /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp*  rPx,
  @{bin}/browserpass         rPx,
-  # As a temporary solution - see issue #128
-  @{bin}/keepassxc-proxy     rix,
+  @{bin}/keepassxc-proxy     rPx -> firefox//&keepassxc-proxy,

  owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
  owner @{user_config_dirs}/ibus/bus/ r,
@ -72,6 +71,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,
  owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk,

+  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w,
+
  # Silencer
  deny @{lib_dirs}/** w,

--- a/apparmor.d/profiles-g-l/keepassxc-proxy
+++ b/apparmor.d/profiles-g-l/keepassxc-proxy
@ -12,14 +12,14 @@ profile keepassxc-proxy @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

-  signal (receive) set=(term, kill),
-
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

+  signal receive set=(term, kill) peer=firefox,
+
  @{exec_path} mr,

  /usr/share/icons/*/index.theme r,
@ -32,7 +32,7 @@ profile keepassxc-proxy @{exec_path} {
  # file_inherit
  deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
  deny owner @{run}/user/@{uid}/kpxc_server rw,
-  deny       /dev/shm/org.chromium.* rw,
+  deny       /dev/shm/org.chromium.@{rand6} rw,
  deny owner /dev/shm/org.mozilla.ipc.@{int}.@{int} rw,
  deny owner @{HOME}/.mozilla/** rw,
  deny owner @{user_cache_dirs}/mozilla/** rw,