From fe39148d0cd6ec9020883e8e2af9376412f8da86 Mon Sep 17 00:00:00 2001
From: B Stack <bgstack15@gmail.com>
Date: Wed, 6 Mar 2019 15:23:42 -0500
Subject: WIP: waterfox dpkg

---
 waterfox/debian/usr.bin.waterfox | 231 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 231 insertions(+)
 create mode 100644 waterfox/debian/usr.bin.waterfox

(limited to 'waterfox/debian/usr.bin.waterfox')

diff --git a/waterfox/debian/usr.bin.waterfox b/waterfox/debian/usr.bin.waterfox
new file mode 100644
index 0000000..543c310
--- /dev/null
+++ b/waterfox/debian/usr.bin.waterfox
@@ -0,0 +1,231 @@
+# vim:syntax=apparmor
+# Modified from firefox definition file
+# Original Author: Jamie Strandboge <jamie@canonical.com>
+
+# Declare an apparmor variable to help with overrides
+@{MOZ_LIBDIR}=/usr/lib/waterfox
+
+#include <tunables/global>
+
+# We want to confine the binaries that match:
+#  /usr/lib/waterfox/waterfox
+#  /usr/lib/waterfox/waterfox
+# but not:
+#  /usr/lib/waterfox/waterfox.sh
+/usr/lib/waterfox/waterfox{,*[^s][^h]} {
+  #include <abstractions/audio>
+  #include <abstractions/cups-client>
+  #include <abstractions/dbus-strict>
+  #include <abstractions/dbus-session-strict>
+  #include <abstractions/dconf>
+  #include <abstractions/gnome>
+  #include <abstractions/ibus>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/p11-kit>
+  #include <abstractions/ubuntu-unity7-base>
+  #include <abstractions/ubuntu-unity7-launcher>
+
+  #include <abstractions/dbus-accessibility-strict>
+  dbus (send)
+       bus=session
+       peer=(name=org.a11y.Bus),
+  dbus (receive)
+       bus=session
+       interface=org.a11y.atspi**,
+  dbus (receive, send)
+       bus=accessibility,
+
+  # for networking
+  network inet stream,
+  network inet6 stream,
+  @{PROC}/[0-9]*/net/if_inet6 r,
+  @{PROC}/[0-9]*/net/ipv6_route r,
+  @{PROC}/[0-9]*/net/dev r,
+  @{PROC}/[0-9]*/net/wireless r,
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       member=state,
+  dbus (receive)
+       bus=system
+       path=/org/freedesktop/NetworkManager,
+
+  # should maybe be in abstractions
+  /etc/ r,
+  /etc/mime.types r,
+  /etc/mailcap r,
+  /etc/xdg/*buntu/applications/defaults.list    r, # for all derivatives
+  /etc/xfce4/defaults.list r,
+  /usr/share/xubuntu/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/defaults.list r,
+  owner @{HOME}/.local/share/applications/mimeapps.list r,
+  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
+  owner /tmp/** m,
+  owner /var/tmp/** m,
+  owner /{,var/}run/shm/shmfd-* rw,
+  owner /{dev,run}/shm/org.chromium.* rwk,
+  /tmp/.X[0-9]*-lock r,
+  /etc/udev/udev.conf r,
+  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
+  # Possibly move to an abstraction if anything else needs it.
+  deny /run/udev/data/** r,
+  # let the shell know we launched something
+  dbus (send)
+     bus=session
+     interface=org.gtk.gio.DesktopAppInfo
+     member=Launched,
+
+  /etc/timezone r,
+  /etc/wildmidi/wildmidi.cfg r,
+
+  # waterfox specific
+  /etc/waterfox*/ r,
+  /etc/waterfox*/** r,
+
+  # firefox specific
+  #/etc/xul-ext/** r,
+  #/etc/xulrunner-2.0*/ r,
+  #/etc/xulrunner-2.0*/** r,
+  #/etc/gre.d/ r,
+  #/etc/gre.d/* r,
+
+  # noisy
+  #deny @{MOZ_LIBDIR}/** w,
+  #deny /usr/lib/firefox-addons/** w,
+  #deny /usr/lib/xulrunner-addons/** w,
+  #deny /usr/lib/xulrunner-*/components/*.tmp w,
+  deny /.suspended r,
+  deny /boot/initrd.img* r,
+  deny /boot/vmlinuz* r,
+  deny /var/cache/fontconfig/ w,
+  deny @{HOME}/.local/share/recently-used.xbel r,
+
+  # TODO: investigate
+  deny /usr/bin/gconftool-2 x,
+
+  # These are needed when a new user starts waterfox and waterfox.sh is used
+  @{MOZ_LIBDIR}/** ixr,
+  /usr/bin/basename ixr,
+  /usr/bin/dirname ixr,
+  /usr/bin/pwd ixr,
+  /sbin/killall5 ixr,
+  /bin/which ixr,
+  /usr/bin/tr ixr,
+  @{PROC}/ r,
+  @{PROC}/[0-9]*/cmdline r,
+  @{PROC}/[0-9]*/mountinfo r,
+  @{PROC}/[0-9]*/stat r,
+  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
+  @{PROC}/[0-9]*/status r,
+  @{PROC}/filesystems r,
+  @{PROC}/sys/vm/overcommit_memory r,
+  /sys/devices/pci[0-9]*/**/uevent r,
+  /sys/devices/platform/**/uevent r,
+  /sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
+  owner @{HOME}/.cache/thumbnails/** rw,
+
+  /etc/mtab r,
+  /etc/fstab r,
+
+  # Needed for the crash reporter
+  owner @{PROC}/[0-9]*/environ r,
+  owner @{PROC}/[0-9]*/auxv r,
+  /etc/lsb-release r,
+  /usr/bin/expr ix,
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/** r,
+
+  # about:memory
+  owner @{PROC}/[0-9]*/statm r,
+  owner @{PROC}/[0-9]*/smaps r,
+
+  # Needed for container to work in xul builds
+  #/usr/lib/xulrunner-*/plugin-container ixr,
+
+  # allow access to documentation and other files the user may want to look
+  # at in /usr and @{MOZ_LIBDIR}
+  /usr/ r,
+  /usr/** r,
+  @{MOZ_LIBDIR}/ r,
+  @{MOZ_LIBDIR}/** r,
+
+  # so browsing directories works
+  / r,
+  /**/ r,
+
+  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+  owner @{HOME}/ r,
+  owner @{HOME}/Public/ r,
+  owner @{HOME}/Public/* r,
+  owner @{HOME}/Downloads/ r,
+  owner @{HOME}/Downloads/* rw,
+
+  # per-user waterfox configuration
+  owner @{HOME}/.waterfox/ rw,
+  owner @{HOME}/.waterfox/** rw,
+  owner @{HOME}/.waterfox/**/*.{db,parentlock,sqlite}* k,
+  owner @{HOME}/.waterfox/plugins/** rm,
+  owner @{HOME}/.waterfox/**/plugins/** rm,
+  owner @{HOME}/.gnome2/waterfox* rwk,
+  owner @{HOME}/.cache/waterfox/ rw,
+  owner @{HOME}/.cache/waterfox/** rw,
+  owner @{HOME}/.cache/waterfox/**/*.sqlite k,
+  owner @{HOME}/.config/gtk-3.0/bookmarks r,
+  owner @{HOME}/.config/dconf/user w,
+  owner /{,var/}run/user/*/dconf/user w,
+  dbus (send)
+       bus=session
+       path=/org/gnome/GConf/Server
+       member=GetDefaultDatabase,
+  dbus (send)
+       bus=session
+       path=/org/gnome/GConf/Database/*
+       member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+
+  #
+  # Extensions
+  # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
+  # Allow 'x' for downloaded extensions, but inherit policy for safety
+  owner @{HOME}/.waterfox/**/extensions/** mixr,
+
+  #deny @{MOZ_LIBDIR}/update.test w,
+  #deny /usr/lib/mozilla/extensions/**/ w,
+  #deny /usr/lib/xulrunner-addons/extensions/**/ w,
+  #deny /usr/share/mozilla/extensions/**/ w,
+  #deny /usr/share/mozilla/ w,
+
+  # Miscellaneous (to be abstracted)
+  # Ideally these would use a child profile. They are all ELF executables
+  # so running with 'Ux', while not ideal, is ok because we will at least
+  # benefit from glibc's secure execute.
+  /usr/bin/mkfifo Uxr,  # investigate
+  /bin/ps Uxr,
+  /bin/uname Uxr,
+
+  /usr/bin/lsb_release Cxr -> lsb_release,
+  profile lsb_release {
+    #include <abstractions/base>
+    #include <abstractions/python>
+    /usr/bin/lsb_release r,
+    /bin/dash ixr,
+    /usr/bin/dpkg-query ixr,
+    /usr/include/python2.[4567]/pyconfig.h r,
+    /etc/lsb-release r,
+    /etc/debian_version r,
+    /var/lib/dpkg/** r,
+
+    /usr/local/lib/python3.[0-4]/dist-packages/ r,
+    /usr/bin/ r,
+    /usr/bin/python3.[0-4] r,
+
+    # file_inherit
+    deny /tmp/gtalkplugin.log w,
+  }
+
+  # Addons
+  #include <abstractions/ubuntu-browsers.d/waterfox>
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.waterfox>
+}
-- 
cgit