summaryrefslogtreecommitdiff
path: root/waterfox/debian/usr.bin.waterfox
diff options
context:
space:
mode:
Diffstat (limited to 'waterfox/debian/usr.bin.waterfox')
-rw-r--r--waterfox/debian/usr.bin.waterfox231
1 files changed, 231 insertions, 0 deletions
diff --git a/waterfox/debian/usr.bin.waterfox b/waterfox/debian/usr.bin.waterfox
new file mode 100644
index 0000000..543c310
--- /dev/null
+++ b/waterfox/debian/usr.bin.waterfox
@@ -0,0 +1,231 @@
+# vim:syntax=apparmor
+# Modified from firefox definition file
+# Original Author: Jamie Strandboge <jamie@canonical.com>
+
+# Declare an apparmor variable to help with overrides
+@{MOZ_LIBDIR}=/usr/lib/waterfox
+
+#include <tunables/global>
+
+# We want to confine the binaries that match:
+# /usr/lib/waterfox/waterfox
+# /usr/lib/waterfox/waterfox
+# but not:
+# /usr/lib/waterfox/waterfox.sh
+/usr/lib/waterfox/waterfox{,*[^s][^h]} {
+ #include <abstractions/audio>
+ #include <abstractions/cups-client>
+ #include <abstractions/dbus-strict>
+ #include <abstractions/dbus-session-strict>
+ #include <abstractions/dconf>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+ #include <abstractions/p11-kit>
+ #include <abstractions/ubuntu-unity7-base>
+ #include <abstractions/ubuntu-unity7-launcher>
+
+ #include <abstractions/dbus-accessibility-strict>
+ dbus (send)
+ bus=session
+ peer=(name=org.a11y.Bus),
+ dbus (receive)
+ bus=session
+ interface=org.a11y.atspi**,
+ dbus (receive, send)
+ bus=accessibility,
+
+ # for networking
+ network inet stream,
+ network inet6 stream,
+ @{PROC}/[0-9]*/net/if_inet6 r,
+ @{PROC}/[0-9]*/net/ipv6_route r,
+ @{PROC}/[0-9]*/net/dev r,
+ @{PROC}/[0-9]*/net/wireless r,
+ dbus (send)
+ bus=system
+ path=/org/freedesktop/NetworkManager
+ member=state,
+ dbus (receive)
+ bus=system
+ path=/org/freedesktop/NetworkManager,
+
+ # should maybe be in abstractions
+ /etc/ r,
+ /etc/mime.types r,
+ /etc/mailcap r,
+ /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
+ /etc/xfce4/defaults.list r,
+ /usr/share/xubuntu/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/defaults.list r,
+ owner @{HOME}/.local/share/applications/mimeapps.list r,
+ owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+ owner /tmp/** m,
+ owner /var/tmp/** m,
+ owner /{,var/}run/shm/shmfd-* rw,
+ owner /{dev,run}/shm/org.chromium.* rwk,
+ /tmp/.X[0-9]*-lock r,
+ /etc/udev/udev.conf r,
+ # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+ # Possibly move to an abstraction if anything else needs it.
+ deny /run/udev/data/** r,
+ # let the shell know we launched something
+ dbus (send)
+ bus=session
+ interface=org.gtk.gio.DesktopAppInfo
+ member=Launched,
+
+ /etc/timezone r,
+ /etc/wildmidi/wildmidi.cfg r,
+
+ # waterfox specific
+ /etc/waterfox*/ r,
+ /etc/waterfox*/** r,
+
+ # firefox specific
+ #/etc/xul-ext/** r,
+ #/etc/xulrunner-2.0*/ r,
+ #/etc/xulrunner-2.0*/** r,
+ #/etc/gre.d/ r,
+ #/etc/gre.d/* r,
+
+ # noisy
+ #deny @{MOZ_LIBDIR}/** w,
+ #deny /usr/lib/firefox-addons/** w,
+ #deny /usr/lib/xulrunner-addons/** w,
+ #deny /usr/lib/xulrunner-*/components/*.tmp w,
+ deny /.suspended r,
+ deny /boot/initrd.img* r,
+ deny /boot/vmlinuz* r,
+ deny /var/cache/fontconfig/ w,
+ deny @{HOME}/.local/share/recently-used.xbel r,
+
+ # TODO: investigate
+ deny /usr/bin/gconftool-2 x,
+
+ # These are needed when a new user starts waterfox and waterfox.sh is used
+ @{MOZ_LIBDIR}/** ixr,
+ /usr/bin/basename ixr,
+ /usr/bin/dirname ixr,
+ /usr/bin/pwd ixr,
+ /sbin/killall5 ixr,
+ /bin/which ixr,
+ /usr/bin/tr ixr,
+ @{PROC}/ r,
+ @{PROC}/[0-9]*/cmdline r,
+ @{PROC}/[0-9]*/mountinfo r,
+ @{PROC}/[0-9]*/stat r,
+ owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
+ @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+ @{PROC}/sys/vm/overcommit_memory r,
+ /sys/devices/pci[0-9]*/**/uevent r,
+ /sys/devices/platform/**/uevent r,
+ /sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
+ owner @{HOME}/.cache/thumbnails/** rw,
+
+ /etc/mtab r,
+ /etc/fstab r,
+
+ # Needed for the crash reporter
+ owner @{PROC}/[0-9]*/environ r,
+ owner @{PROC}/[0-9]*/auxv r,
+ /etc/lsb-release r,
+ /usr/bin/expr ix,
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/** r,
+
+ # about:memory
+ owner @{PROC}/[0-9]*/statm r,
+ owner @{PROC}/[0-9]*/smaps r,
+
+ # Needed for container to work in xul builds
+ #/usr/lib/xulrunner-*/plugin-container ixr,
+
+ # allow access to documentation and other files the user may want to look
+ # at in /usr and @{MOZ_LIBDIR}
+ /usr/ r,
+ /usr/** r,
+ @{MOZ_LIBDIR}/ r,
+ @{MOZ_LIBDIR}/** r,
+
+ # so browsing directories works
+ / r,
+ /**/ r,
+
+ # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+ owner @{HOME}/ r,
+ owner @{HOME}/Public/ r,
+ owner @{HOME}/Public/* r,
+ owner @{HOME}/Downloads/ r,
+ owner @{HOME}/Downloads/* rw,
+
+ # per-user waterfox configuration
+ owner @{HOME}/.waterfox/ rw,
+ owner @{HOME}/.waterfox/** rw,
+ owner @{HOME}/.waterfox/**/*.{db,parentlock,sqlite}* k,
+ owner @{HOME}/.waterfox/plugins/** rm,
+ owner @{HOME}/.waterfox/**/plugins/** rm,
+ owner @{HOME}/.gnome2/waterfox* rwk,
+ owner @{HOME}/.cache/waterfox/ rw,
+ owner @{HOME}/.cache/waterfox/** rw,
+ owner @{HOME}/.cache/waterfox/**/*.sqlite k,
+ owner @{HOME}/.config/gtk-3.0/bookmarks r,
+ owner @{HOME}/.config/dconf/user w,
+ owner /{,var/}run/user/*/dconf/user w,
+ dbus (send)
+ bus=session
+ path=/org/gnome/GConf/Server
+ member=GetDefaultDatabase,
+ dbus (send)
+ bus=session
+ path=/org/gnome/GConf/Database/*
+ member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+
+ #
+ # Extensions
+ # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
+ # Allow 'x' for downloaded extensions, but inherit policy for safety
+ owner @{HOME}/.waterfox/**/extensions/** mixr,
+
+ #deny @{MOZ_LIBDIR}/update.test w,
+ #deny /usr/lib/mozilla/extensions/**/ w,
+ #deny /usr/lib/xulrunner-addons/extensions/**/ w,
+ #deny /usr/share/mozilla/extensions/**/ w,
+ #deny /usr/share/mozilla/ w,
+
+ # Miscellaneous (to be abstracted)
+ # Ideally these would use a child profile. They are all ELF executables
+ # so running with 'Ux', while not ideal, is ok because we will at least
+ # benefit from glibc's secure execute.
+ /usr/bin/mkfifo Uxr, # investigate
+ /bin/ps Uxr,
+ /bin/uname Uxr,
+
+ /usr/bin/lsb_release Cxr -> lsb_release,
+ profile lsb_release {
+ #include <abstractions/base>
+ #include <abstractions/python>
+ /usr/bin/lsb_release r,
+ /bin/dash ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/include/python2.[4567]/pyconfig.h r,
+ /etc/lsb-release r,
+ /etc/debian_version r,
+ /var/lib/dpkg/** r,
+
+ /usr/local/lib/python3.[0-4]/dist-packages/ r,
+ /usr/bin/ r,
+ /usr/bin/python3.[0-4] r,
+
+ # file_inherit
+ deny /tmp/gtalkplugin.log w,
+ }
+
+ # Addons
+ #include <abstractions/ubuntu-browsers.d/waterfox>
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.waterfox>
+}
bgstack15