diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 55ff461a..66a51772 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -105,8 +105,6 @@ owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw, owner /dev/shm/wayland.mozilla.ipc.@{int} rw, - owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w, - @{run}/mount/utab r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index ef8bf584..f3594907 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -19,7 +19,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { include include - signal (send) set=(term, kill) peer=keepassxc-proxy, + signal send set=(term, kill) peer=firefox//&keepassxc-proxy, #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @@ -46,8 +46,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # Common extensions /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, @{bin}/browserpass rPx, - # As a temporary solution - see issue #128 - @{bin}/keepassxc-proxy rix, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, @@ -72,6 +71,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk, + owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w, + # Silencer deny @{lib_dirs}/** w, diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy index 5e973610..a193df0e 100644 --- a/apparmor.d/profiles-g-l/keepassxc-proxy +++ b/apparmor.d/profiles-g-l/keepassxc-proxy @@ -12,14 +12,14 @@ profile keepassxc-proxy @{exec_path} { include include - signal (receive) set=(term, kill), - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + signal receive set=(term, kill) peer=firefox, + @{exec_path} mr, /usr/share/icons/*/index.theme r, @@ -32,7 +32,7 @@ profile keepassxc-proxy @{exec_path} { # file_inherit deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw, deny owner @{run}/user/@{uid}/kpxc_server rw, - deny /dev/shm/org.chromium.* rw, + deny /dev/shm/org.chromium.@{rand6} rw, deny owner /dev/shm/org.mozilla.ipc.@{int}.@{int} rw, deny owner @{HOME}/.mozilla/** rw, deny owner @{user_cache_dirs}/mozilla/** rw,