Apparmor Profiles for Firefox and Edge-beta Browsers

Discussion in 'all things UNIX' started by wat0114, Jan 7, 2022.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    There seems to be little to no interest in Apparmor these days, but I figured I would share my Apparmor profiles for latest versions of Firefox and Microsoft-Edge-beta browsers which I'm currently using on Debian-based MX-21 KDE Desktop. Before posting them, some information first.

    Before even beginning, it is important to know:

    1. the learning curve for Apparmor is quite steep, but if I can get a generally decent handle on it (by no means expert) then anyone can.
    2. you must be patient, enthusiastic and willing to spend lots of time on it
    3. Apparmor is currently not perfect. It tends to create duplicate entries, usually one with read (r,) permissions, and one with write (w,) permissions. it is handy to open the profiles with a text editor (I prefer Geany) and combine duplicate entries into one with read and write (rw,) permissions.

    Some helpful Apparmor links:

    https://ubuntu.com/server/docs/security-apparmor

    You will want to familiarize yourself with all the common Apparmor commands listed from the above link.

    You will use most often:

    sudo aa-logprof
    sudo service apparmor reload
    sudo aa-complain /path/to/bin eg: sudo aa-complain /etc/apparmor.d/opt.firefox.firefox
    sudo aa-enforce /path/to/bin eg: sudo aa-complain /etc/apparmor.d/opt.firefox.firefox
    sudo aa-status

    this opensuse link is relevant to Debian and goes into greater detail:

    https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html

    In addition, it is helpful to sometimes clear the syslogs, as profiling using aa-logprof checks the logs for Apparmor events. You can create a text file using a text editor such as leaf, Geany, or KWrite, then paste in:

    Code:
    #!/bin/bash
    
    sudo truncate -s 0 /var/log/syslog
    then name the file for example: clearsyslogs.sh

    then right-click->Properties->Permissions then enable box: "Is executable" and save to probably your Desktop.

    There are several threads throughout this forum on Apparmor that offer good information and tips.

    first, my profile(s) for Firefox **which is very specific using the add-on uBlock Origin and the Sunset Foggy Sea by Madonna theme**. Any other extension or theme desire will require several rounds of profiling using sudo aa-logprof.

    File name: opt.firefox.firefox-bin

    Code:
    # Last Modified: Mon Dec 20 17:36:33 2021
    #include <tunables/global>
    
    /opt/firefox/firefox-bin {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/totem>
    
      capability sys_admin,
    
      /opt/firefox/firefox-bin Px,
      /opt/firefox/libnspr*.so mr,
      /opt/firefox/libplc*.so mr,
      /opt/firefox/libplds*.so mr,
      /sys/devices/pci0000:00/0000:00:1f.4/class r,
      /sys/devices/pci0000:00/0000:00:1f.4/device r,
      /sys/devices/pci0000:00/0000:00:1f.4/vendor r,
      /sys/devices/system/cpu/cpu0/cache/index*/size r,
      /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
      /sys/devices/system/cpu/present r,
      /{media,mnt,opt,srv}/** mr,
      owner "/home/*/.mozilla/firefox/Crash Reports/InstallTime*" r,
      owner /home/*/.cache/event-sound-cache.*.*.x86_64-pc-linux-gnu rwk,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/*.tmp rw,
      owner /home/*/.config/gtk-3.0/assets/*.svg r,
      owner /home/*/.config/pulse/cookie rw,
      owner /home/*/.mozilla/firefox/*.default-release/.parentlock wk,
      owner /home/*/.mozilla/firefox/*.default-release/lock rw,
      owner /home/*/.mozilla/firefox/profiles.ini r,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/staged/@testpilot-containers.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/chrome/*/*.files/* r,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/chrome/*/*.files/journals/* rw,
      owner /opt/firefox/fonts/** mrw,
      owner /proc/*/cgroup r,
      owner /proc/*/stat r,
      owner /proc/*/task/*/stat r,
    
    }
    File name: opt.firefox.plugin-container

    Code:
    # Last Modified: Wed Dec 29 06:16:30 2021
    #include <tunables/global>
    
    /opt/firefox/plugin-container flags=(complain) {
      #include <abstractions/base>
    
      /opt/firefox/plugin-container mr,
    
    }
    File name: opt.firefox.firefox

    Code:
    # Last Modified: Tue Jan  4 12:12:49 2022
    #include <tunables/global>
    
    /opt/firefox/firefox {
      #include <abstractions/audio>
      #include <abstractions/base>
      #include <abstractions/postfix-common>
      #include <abstractions/python>
      #include <abstractions/totem>
      #include <abstractions/ubuntu-browsers.d/ubuntu-integration>
      #include <abstractions/ubuntu-konsole>
    
      capability sys_admin,
    
      signal send set=term peer=/opt/firefox/plugin-container,
    
      ptrace trace peer=/opt/firefox/firefox,
    
      deny owner /home/*/Downloads/*.exe rw,
    
      /etc/mailcap r,
      /etc/mime.types r,
      /opt/firefox/firefox-bin mrix,
      /opt/firefox/libnspr*.so mr,
      /opt/firefox/libplc*.so mr,
      /opt/firefox/libplds*.so mr,
      /opt/firefox/plugin-container Px,
      /proc/cpuinfo r,
      /proc/filesystems r,
      /proc/sys/dev/i915/perf_stream_paranoid r,
      /run/pulseaudio-enable-autospawn r,
      /sys/devices/pci0000:00/0000:00:*.*/0000:0*:00.0/class r,
      /sys/devices/pci0000:00/0000:00:*.*/0000:0*:00.0/device r,
      /sys/devices/pci0000:00/0000:00:*.*/0000:0*:00.0/vendor r,
      /sys/devices/pci0000:00/0000:00:*.*/class r,
      /sys/devices/pci0000:00/0000:00:*.*/device r,
      /sys/devices/pci0000:00/0000:00:*.*/vendor r,
      /sys/devices/pci0000:00/0000:00:0?.0/subsystem_device r,
      /sys/devices/pci0000:00/0000:00:0?.0/subsystem_vendor r,
      /sys/devices/system/cpu/cpu0/cache/index*/* r,
      /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
      /sys/devices/system/cpu/present r,
      /usr/bin/dash mrix,
      /usr/bin/lsb_release mrix,
      /usr/bin/pdfarranger mrix,
      /usr/bin/pdfarranger r,
      /usr/bin/python3.9 ix,
      /usr/bin/python3.9 ix,
      /var/cache/fontconfig/ rw,
      /{media,mnt,opt,srv}/** mr,
      owner "/home/*/.mozilla/firefox/Crash Reports/InstallTime*" rw,
      owner "/home/*/.mozilla/firefox/Crash Reports/LastCrash" r,
      owner "/home/*/Documents/.Keepass New database.kdbx.lock" r,
      owner "/home/*/Documents/Apparmor Profiles/*/*.sh" r,
      owner "/home/*/Documents/Apparmor Profiles/*/opt.*" r,
      owner "/home/*/Documents/Apparmor Profiles/*/usr.*" r,
      owner "/home/*/Documents/Keepass New database.kdbx" r,
      owner /**/ rw,
      owner /home/*/*.html rw,
      owner /home/*/.Xauthority r,
      owner /home/*/.bash_history r,
      owner /home/*/.bash_logout r,
      owner /home/*/.bashrc r,
      owner /home/*/.cache/event-sound-cache.*.*.x86_64-pc-linux-gnu rwk,
      owner /home/*/.cache/fontconfig/*-*.cache-* rwk,
      owner /home/*/.cache/fontconfig/*.TAG.LCK w,
      owner /home/*/.cache/fontconfig/*.TAG.NEW w,
      owner /home/*/.cache/fontconfig/CACHEDIR.TAG.TMP-* rw,
      owner /home/*/.cache/mesa_shader_cache/*/* rwk,
      owner /home/*/.cache/mesa_shader_cache/3*/* r,
      owner /home/*/.cache/mesa_shader_cache/index rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/.startup-incomplete rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/cache2/*.tmp rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/cache2/??_* rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/cache2/doomed/* rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/cache2/entries/* rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/cache2/index rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing-updating/*.sbstore rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing-updating/*.vlpset rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing-updating/block-flashsubdoc-digest256.vlpset rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing-updating/google4/*.vlpset rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing-updating/google4/goog-malware-proto.metadata rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing-updating/google4/goog-phish-proto.metadata rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing-updating/mozstd-trackwhite-digest256.vlpset rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing/*.sbstore r,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing/*.vlpset r,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing/*/*.vlpset r,
      owner /home/*/.cache/mozilla/firefox/*.default-release/safebrowsing/google4/*.metadata r,
      owner /home/*/.cache/mozilla/firefox/*.default-release/settings/*/*/*/*/*.ftl.tmp rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/settings/main/ms-language-packs/browser/newtab/*.ftl rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/*.bin rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/*.sc.lz4 rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/*.sc.lz4.tmp rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/scriptCache-child-current.bin r,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/scriptCache-current.bin r,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/startupCache.*.* rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/urlCache-current.bin rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/urlCache-new.bin rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/startupCache/urlCache.bin rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/thumbnails/*.png rw,
      owner /home/*/.cache/mozilla/firefox/*.default-release/thumbnails/*.png.tmp rw,
      owner /home/*/.config/*.list r,
      owner /home/*/.config/dconf/user r,
      owner /home/*/.config/gtk-3.0/*.css r,
      owner /home/*/.config/gtk-3.0/assets/*.svg r,
      owner /home/*/.config/gtk-3.0/settings.ini r,
      owner /home/*/.config/pulse/cookie rk,
      owner /home/*/.inputrc r,
      owner /home/*/.local/share/applications/*.desktop r,
      owner /home/*/.local/share/applications/*.list r,
      owner /home/*/.mozilla/firefox/firefox-mpris/*.png rw,
      owner /home/*/.mozilla/firefox/profiles.ini r,
      owner /home/*/.mozilla/firefox/*.default-release/*.*.lz4 rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.db rwk,
      owner /home/*/.mozilla/firefox/*.default-release/*.json rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.json.mozlz4 rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.json.tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.jsonlz4 rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.sqlite rwk,
      owner /home/*/.mozilla/firefox/*.default-release/*.sqlite-journal rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.sqlite-wal rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/*.txt rw,
      owner /home/*/.mozilla/firefox/*.default-release/.parentlock wk,
      owner /home/*/.mozilla/firefox/*.default-release/bookmarkbackups/*.jsonlz4 rw,
      owner /home/*/.mozilla/firefox/*.default-release/bookmarkbackups/*.jsonlz4.tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/chrome/*.css r,
      owner /home/*/.mozilla/firefox/*.default-release/compatibility.ini rw,
      owner /home/*/.mozilla/firefox/*.default-release/cookies.sqlite-wal rw,
      owner /home/*/.mozilla/firefox/*.default-release/crashes/*.json.mozlz4 rw,
      owner /home/*/.mozilla/firefox/*.default-release/crashes/*.json.mozlz4.tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/*.json r,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/*.json.tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/archived/202?-*/*.*.deletion-request.jsonlz4 r,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/archived/202?-*/*.*.event.jsonlz4 r,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/archived/202?-*/*.*.first-shutdown.jsonlz4 r,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/archived/202?-*/*.*.main.jsonlz4 r,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/archived/202?-*/*.*.new-profile.jsonlz4 r,
      owner /home/*/.mozilla/firefox/*.default-release/datareporting/glean/db/data.safe.bin rw,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/\{36b123f7-ed7e-402a-a2ce-cbd68387dbdc\}.xpi r,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/\{cb450604-c5ea-45d8-a8e6-4c6231419ef2\}.xpi r,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/\{fc48c481-0e1a-4f93-8dd8-4f212b2018fa\}.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/staged/\{fc48c481-0e1a-4f93-8dd8-4f212b2018fa\}.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/staged/uBlock0@raymondhill.net.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/trash/\{fc48c481-0e1a-4f93-8dd8-4f212b2018fa\}.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/trash/uBlock0@raymondhill.net.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/extensions/uBlock0@raymondhill.net.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/features/\{????????-????-????-????-????????????\}/reset-search-defaults@mozilla.com.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/features/\{????????-????-????-????-????????????\}/staged/reset-search-defaults@mozilla.com.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/features/\{????????-????-????-????-????????????\}/staged/webcompat@mozilla.org.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/features/\{????????-????-????-????-????????????\}/webcompat@mozilla.org.xpi rw,
      owner /home/*/.mozilla/firefox/*.default-release/gmp-gmpopenh264/*/*.info r,
      owner /home/*/.mozilla/firefox/*.default-release/gmp-widevinecdm/*/*.json r,
      owner /home/*/.mozilla/firefox/*.default-release/gmp/Linux_x86_64-gcc3/gmp-widevinecdm/*/*/origin rw,
      owner /home/*/.mozilla/firefox/*.default-release/gmp/Linux_x86_64-gcc3/gmp-widevinecdm/*/*/salt rw,
      owner /home/*/.mozilla/firefox/*.default-release/gmp/Linux_x86_64-gcc3/gmp-widevinecdm/*/*/topLevelOrigin rw,
      owner /home/*/.mozilla/firefox/*.default-release/lock rw,
      owner /home/*/.mozilla/firefox/*.default-release/minidumps/*.dmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/prefs-*.js rw,
      owner /home/*/.mozilla/firefox/*.default-release/prefs.js rw,
      owner /home/*/.mozilla/firefox/*.default-release/security_state/*.safe.bin rw,
      owner /home/*/.mozilla/firefox/*.default-release/sessionstore-backups/*.baklz4 rw,
      owner /home/*/.mozilla/firefox/*.default-release/sessionstore-backups/*.jsonlz4 rw,
      owner /home/*/.mozilla/firefox/*.default-release/sessionstore-backups/*.tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/*.sqlite rwk,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*.*/*/*.sqlite rwk,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*.*/*/usage rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*.*/.metadata-v2 rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*.*/.metadata-v2-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/*.marker rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/*.sqlite rwk,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/*.sqlite-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/*.sqlite-journal rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/usage rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/usage-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/usage-journal rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/*/usage-journal rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/.metadata-v2 rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/.metadata-v2-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/cache/*.sqlite-wal rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.*/cache/.padding rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.ca/*/idb-deleting-*-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/https+++*.com/*/idb-deleting-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++*/*/*.files/??? rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++*/*/*.files/journals/??? rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++*/*/*.sqlite rwk,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++*/*/*.sqlite-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++*/.metadata-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++*/.metadata-v2-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++www-*-*-*-*/*/*.files/journals/* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++www/*/*.files/* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++www/*/*.sqlite rwk,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++www/*/*.sqlite-wal rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/default/moz-extension+++www/.metadata-* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/chrome/*/*.files/* rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/chrome/.metadata-v2 r,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/chrome/idb/*.files/journals/? rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/chrome/idb/*.sqlite rwk,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/chrome/idb/*.sqlite-wal rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/indexeddb+++*/.metadata-v2 rw,
      owner /home/*/.mozilla/firefox/*.default-release/storage/permanent/indexeddb+++fx-devtools/.metadata-v2-tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/weave/failed/*.json rw,
      owner /home/*/.mozilla/firefox/*.default-release/weave/failed/*.json.corrupt rw,
      owner /home/*/.mozilla/firefox/*.default-release/weave/failed/*.json.tmp rw,
      owner /home/*/.mozilla/firefox/*.default-release/weave/logs/*.txt rw,
      owner /home/*/.mozilla/firefox/*.default-release/weave/toFetch/*.json rw,
      owner /home/*/.mozilla/firefox/*.default-release/weave/toFetch/*.json.corrupt rw,
      owner /home/*/.mozilla/firefox/*.default-release/weave/toFetch/*.json.tmp rw,
      owner /home/*/.profile r,
      owner /home/*/.xsession-errors r,
      owner /home/*/Desktop/*.sh rw,
      owner /home/*/Desktop/trash:⁄.desktop r,
      owner /home/*/Documents/*-key.keyx; r,
      owner /home/*/Documents/*.csv rw,
      owner /home/*/Documents/*.csv.tmp rw,
      owner /home/*/Documents/*.html rw,
      owner /home/*/Documents/*.jpg rw,
      owner /home/*/Documents/*.pdf rw,
      owner /home/*/Documents/*.png rw,
      owner /home/*/Documents/*.ppt rw,
      owner /home/*/Documents/*.tmp rw,
      owner /home/*/Documents/keepass-key.key r,
      owner /home/*/Documents/logins-updated.xlsx r,
      owner /home/*/Documents/logins-updated.xlsx.asc r,
      owner /home/*/Documents/opt.*.* rw,
      owner /home/*/Downloads/*.*.txt rw,
      owner /home/*/Downloads/*.html rw,
      owner /home/*/Downloads/*.pdf rw,
      owner /home/*/Downloads/*.png rw,
      owner /home/*/Downloads/*.webp rw,
      owner /home/*/Downloads/opt.* rw,
      owner /home/*/Pictures/*.jpg rw,
      owner /home/*/Pictures/*.webp rw,
      owner /home/*/revoke.asc r,
      owner /home/*/ r,
      owner /opt/firefox/fonts/** mrw,
      owner /proc/*/cgroup r,
      owner /proc/*/gid_map rw,
      owner /proc/*/maps r,
      owner /proc/*/mountinfo r,
      owner /proc/*/setgroups rw,
      owner /proc/*/stat r,
      owner /proc/*/status r,
      owner /proc/*/task/*/stat r,
      owner /proc/*/uid_map rw,
    
    }
    It is assumed your .mozilla/firefox profile will typically have a name such as r08tmeqy.default-release, so I used a wildcard *.default-release for compatibility with different profile names.

    Now for the Microsoft Edge beta profiles also using uBlock Origin extension from the Chrome store and one of the built-in themes:

    File name: opt.microsoft.msedge-beta.msedge

    Code:
    # Last Modified: Sat Jan  8 05:02:32 2022
    #include <tunables/global>
    
    /opt/microsoft/msedge-beta/msedge {
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/opencl-pocl>
      #include <abstractions/postfix-common>
      #include <abstractions/totem>
      #include <abstractions/ubuntu-browsers.d/plugins-common>
      #include <abstractions/ubuntu-konsole>
    
      capability sys_admin,
    
      ptrace read peer=/opt/microsoft/msedge-beta/msedge//null-/opt/microsoft/msedge-beta/microsoft-edge-beta//null-/opt/microsoft/msedge-beta/msedge,
      ptrace read peer=/opt/microsoft/msedge-beta/msedge//null-/usr/bin/xdg-settings,
      ptrace trace peer=/opt/microsoft/msedge-beta/msedge,
    
      deny owner "/home/*/.config/microsoft-edge-beta/Diagnostic Data" rwk,
      deny owner "/home/*/.config/microsoft-edge-beta/Diagnostic Data-wal" rw,
      deny owner "/home/*/.config/microsoft-edge-beta/Edge Shopping/*/" rw,
    
      /dev/video? r,
      /etc/pulse/client.conf r,
      /opt/microsoft/msedge-beta/microsoft-edge-beta Px,
      /opt/microsoft/msedge-beta/msedge mrix,
      /opt/microsoft/msedge-beta/msedge_crashpad_handler mrix,
      /opt/microsoft/msedge-beta/nacl_helper mrix,
      /proc/*/stat r,
      /proc/filesystems r,
      /proc/meminfo r,
      /proc/self/exe mrix,
      /proc/stat r,
      /proc/sys/crypto/fips_enabled r,
      /proc/sys/dev/i915/perf_stream_paranoid r,
      /proc/sys/fs/inotify/max_user_watches r,
      /proc/sys/kernel/yama/ptrace_scope r,
      /proc/vmstat r,
      /run/pulseaudio-enable-autospawn r,
      /run/udev/data/n? r,
      /sys/devices/**/class r,
      /sys/devices/**/device r,
      /sys/devices/**/uevent r,
      /sys/devices/**/vendor r,
      /sys/devices/*/*/*/*/bConfigurationValue r,
      /sys/devices/*/*/*/*/manufacturer r,
      /sys/devices/*/*/*/*/product r,
      /sys/devices/*/*/*/*/serial r,
      /sys/devices/*/*/subsystem_device r,
      /sys/devices/*/*/subsystem_vendor r,
      /sys/devices/pci0000:00/0000:00:??.0/usb?/*/*/interface r,
      /sys/devices/pci0000:00/0000:00:??.0/usb?/*/idVendor r,
      /sys/devices/system/cpu/online r,
      /sys/devices/virtual/dmi/id/product_name r,
      /sys/devices/virtual/dmi/id/sys_vendor r,
      /sys/devices/virtual/tty/tty0/active r,
      /usr/bin/basename mrix,
      /usr/bin/cut mrix,
      /usr/bin/dash ix,
      /usr/bin/kreadconfig5 mrix,
      /usr/bin/readlink mrix,
      /usr/bin/which mrix,
      /usr/bin/xdg-desktop-menu mrix,
      /usr/bin/xdg-desktop-menu r,
      /usr/bin/xdg-settings mrix,
      /{media,mnt,opt,srv}/** mr,
      owner "/home/*/.cache/microsoft-edge-beta/Default/Code Cache/" rw,
      owner "/home/*/.cache/microsoft-edge-beta/Default/Code Cache/*/*/temp-index" rw,
      owner "/home/*/.cache/microsoft-edge-beta/Default/Code Cache/*/index-dir/" rw,
      owner "/home/*/.config/microsoft-edge-beta/*/*/*/*/Ruleset Data" r,
      owner "/home/*/.config/microsoft-edge-beta/Ad Blocking/.com.*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Ad Blocking/blocklist" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Extension Cookies" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/*.dbtmp" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/.usage" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/LOCK" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/Paths/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/Paths/CURRENT" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/Paths/LOCK" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/Paths/LOG" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/*/*/Paths/MANIFEST-*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/???/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/???/?/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Origins/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Origins__tmp_for_rebuild/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/??/*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/LOCK" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/Paths/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/Paths/CURRENT" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/Paths/LOCK" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/Paths/LOG" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/Paths/MANIFEST-*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/Paths/lost/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/*/application_x-ppapi-widevine-cdm/Paths/lost/MANIFEST-*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/002/application_x-ppapi-widevine-cdm/??/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/???/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/???/application_x-ppapi-widevine-cdm/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/???/application_x-ppapi-widevine-cdm/??/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/???/application_x-ppapi-widevine-cdm/LOCK" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/*.log" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/*.old" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/CURRENT" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/LOCK" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/LOG" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/MANIFEST-*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/lost/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/File System/Plugins/Origins/lost/MANIFEST-*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Local Storage/leveldb/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Local Storage/leveldb__tmp_for_rebuild/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Login Data" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Login Data-journal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Network Action Predictor" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Network Action Predictor-*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Network Persistent State" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/PDF Restore Data/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Reporting and NEL" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Reporting and NEL-journal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Safe Browsing Cookies" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Secure Preferences" r,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/*/*/*/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/CacheStorage/*/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/Database/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/Database__tmp_for_rebuild/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/ScriptCache/*_?" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/ScriptCache/index" r,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/ScriptCache/index-dir/temp-index" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/ScriptCache/index-dir/the-real-index" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Session Storage/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Session Storage/*.ldb" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Session Storage__tmp_for_rebuild/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics Database/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Sync App Settings/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Sync App Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Sync Extension Settings/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Sync Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Top Sites" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Top Sites-journal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Visited Links" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Web Data" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Web Data-journal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Last Version" rw,
      owner "/home/*/.config/microsoft-edge-beta/Local State" rw,
      owner "/home/*/.config/microsoft-edge-beta/Safe Browsing/*.store_new" rw,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Advertising" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Analytics" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/CompatExceptions" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Content" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Cryptomining" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Entities" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Fingerprinting" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Other" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Social" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Staging" r,
      owner "/home/*/.config/microsoft-edge-beta/Web Notifications Deny List/*/*.list" r,
      owner "/home/*/.config/microsoft-edge-beta/Webstore Downloads/cjpalhdlnbpafiamejdnhcphjbkeiagm_*.crx" rw,
      owner "/home/*/Downloads/Unconfirmed *.crdownload" rw,
      owner /dev/shm/.com.* rw,
      owner /dev/shm/?????? rw,
      owner /dev/shm/sem.Smartscreen-* rwl,
      owner /home/*/.Xauthority r,
      owner /home/*/.cache/Microsoft/ rw,
      owner /home/*/.cache/Microsoft/Edge/ rw,
      owner /home/*/.cache/Microsoft/Edge/IdentityCache/ rw,
      owner /home/*/.cache/Microsoft/Edge/IdentityCache/FileAccessLock rwk,
      owner /home/*/.cache/fontconfig/*.cache-* r,
      owner /home/*/.cache/mesa_shader_cache/*/* rwk,
      owner /home/*/.cache/mesa_shader_cache/??/ rw,
      owner /home/*/.cache/mesa_shader_cache/index rw,
      owner /home/*/.cache/microsoft-edge-beta/ rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/ rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/*/*/the-real-index rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/*/*_? rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/*/index rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/*/index-dir/ rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/Cache_Data/ rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/js/ rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/wasm/ rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/Cache/ rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/Cache/Cache_Data/index-dir/temp-index rw,
      owner /home/*/.cache/microsoft-edge-beta/PnaclTranslationCache/ rw,
      owner /home/*/.cache/microsoft-edge-beta/PnaclTranslationCache/data_? rw,
      owner /home/*/.cache/microsoft-edge-beta/PnaclTranslationCache/index rw,
      owner /home/*/.config/*.dirs r,
      owner /home/*/.config/gtk-3.0/*.css r,
      owner /home/*/.config/gtk-3.0/*.ini r,
      owner /home/*/.config/microsoft-edge-beta/**.fingerprint r,
      owner /home/*/.config/microsoft-edge-beta/**.json rw,
      owner /home/*/.config/microsoft-edge-beta/*.pma rw,
      owner /home/*/.config/microsoft-edge-beta/*.tmp rw,
      owner /home/*/.config/microsoft-edge-beta/*.txt rw,
      owner /home/*/.config/microsoft-edge-beta/*/*.dat rwk,
      owner /home/*/.config/microsoft-edge-beta/*/*.pma rw,
      owner /home/*/.config/microsoft-edge-beta/*/*.store rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/*.txt r,
      owner /home/*/.config/microsoft-edge-beta/*/*/cache rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/crl-set rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/download_cache rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/edgeSettings r,
      owner /home/*/.config/microsoft-edge-beta/*/*/edgeSettings_2.0-* r,
      owner /home/*/.config/microsoft-edge-beta/*/*/synchronousLookupUris rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/synchronousLookupUris_* rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/topTraffic r,
      owner /home/*/.config/microsoft-edge-beta/*/*/topTraffic_* r,
      owner /home/*/.config/microsoft-edge-beta/*/*/warnStateCache rw,
      owner /home/*/.config/microsoft-edge-beta/*/campaign_history rwk,
      owner /home/*/.config/microsoft-edge-beta/.com.* rw,
      owner /home/*/.config/microsoft-edge-beta/BrowserMetrics/ rw,
      owner /home/*/.config/microsoft-edge-beta/CertificateRevocation/*.*.*.*/ rw,
      owner /home/*/.config/microsoft-edge-beta/CertificateRevocation/*.*.*.*/*.fingerprint w,
      owner /home/*/.config/microsoft-edge-beta/Default/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/**.dbtmp rw,
      owner /home/*/.config/microsoft-edge-beta/Default/**.log rw,
      owner /home/*/.config/microsoft-edge-beta/Default/**.old rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*.bak rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*.db rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*.db-shm rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*.db-wal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*.msbak rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*-*-*-*-*/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*.db rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*.ldb rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*.tmp rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*.txt rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/*/temp-index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/*/the-real-index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/*_? rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/index-dir/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/? k,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/? rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/CURRENT rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/LOCK rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/LOG rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/MANIFEST-* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/CURRENT rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/LOCK rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/LOG rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/MANIFEST-* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/Session_* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/Tabs_* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/campaign_history rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/collectionsSQLite rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/data_* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/.com.* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Bookmarks rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Cookies rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/Cookies-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/EdgePushStorageWithConnectTokens/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/EntityExtraction/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/EntityExtraction/*.db/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/EntityExtraction/*.pb rw,
      owner /home/*/.config/microsoft-edge-beta/Default/EntityExtraction/Templates/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_*/CRX_INSTALL/_locales/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/*/*/diff/*.md rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*.fingerprint rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*.html rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*.json rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*.txt rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/*.md rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/LICENSE rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/addon/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/lib/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/lib/*.css rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/lib/*.js rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/wasm/*.md rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/wasm/*.wasm rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/*/wasm/*.wat rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/diff/*.js rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/lz4/*-codec-any.js rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/*/lz4/*-codec.wasm rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/_metadata/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/assets/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/assets/ublock/*.txt rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/css/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/css/*.css rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/img/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/img/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/js/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/*.js rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/*/wasm/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/codemirror/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/diff/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/lz4/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/lz4/*-codec-js.js rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/lz4/*-codec-wasm.js rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/lz4/*-codec.wat rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/publicsuffixlist/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/publicsuffixlist/*.js rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/lib/regexanalyzer/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/Temp/scoped_dir*/CRX_INSTALL/web_accessible_resources/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/*.* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/LICENSE rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/UNLICENSE rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/addon/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/as/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/codemirror/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/comment/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/diff/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/display/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/edit/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/empty rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/et/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/fold/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/fontawesome/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/fonts/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/fonts/*/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/hint/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/lib/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/list/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/lz4/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/merge/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/publicsuffixlist/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/regexanalyzer/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/resources/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/scriptlets/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/scroll/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/search/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/selection/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/themes/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/thirdparties/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/ublock/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/urlhaus-filter/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/wasm/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/*.* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/_locales/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/_locales/*/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/_metadata/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/assets/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/css/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/img/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/js/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/*/web_accessible_resources/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.*.*/*/*/*.org/*/serverlist rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.*.*/*/thirdparties/*.org/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.*.*_*/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Favicons rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/Favicons-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/GPUCache/index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/History rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/History-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/IndexedDB/chrome-extension_cjpalhdlnbpafiamejdnhcphjbkeiagm_*.*.leveldb/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/IndexedDB/https_*.leveldb/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/LOCK rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/LOG rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Pdf/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Pdf/pdfSQLite rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Preferences rw,
      owner /home/*/.config/microsoft-edge-beta/Default/PreferredApps r,
      owner /home/*/.config/microsoft-edge-beta/Default/QuotaManager rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/QuotaManager-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Shortcuts rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/Shortcuts-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/TransportSecurity rw,
      owner /home/*/.config/microsoft-edge-beta/Default/WebAssistDatabase rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/WebAssistDatabase-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/databases/*.db-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/databases/Delete*/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/databases/https_*.com_?/ rw,
      owner /home/*/.config/microsoft-edge-beta/Dictionaries/*.bdic rw,
      owner /home/*/.config/microsoft-edge-beta/GrShaderCache/GPUCache/?_* rw,
      owner /home/*/.config/microsoft-edge-beta/GrShaderCache/GPUCache/data_? rw,
      owner /home/*/.config/microsoft-edge-beta/GrShaderCache/GPUCache/index rw,
      owner /home/*/.config/microsoft-edge-beta/ShaderCache/GPUCache/data_? rw,
      owner /home/*/.config/microsoft-edge-beta/ShaderCache/GPUCache/index rw,
      owner /home/*/.config/microsoft-edge-beta/SingletonCookie rw,
      owner /home/*/.config/microsoft-edge-beta/SingletonLock rw,
      owner /home/*/.config/microsoft-edge-beta/SingletonSocket rw,
      owner /home/*/.config/microsoft-edge-beta/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr,
      owner /home/*/.config/microsoft-edge-beta/WidevineCdm/.com.* rw,
      owner /home/*/.config/microsoft-edge-beta/WidevineCdm/latest-component-updated-widevine-cdm rw,
      owner /home/*/.config/microsoft-edge-beta/hyphen-data/*/*.hyb r,
      owner /home/*/.config/pulse/cookie rk,
      owner /home/*/.local/share/.com.* rw,
      owner /home/*/.pki/nssdb/*.db rwk,
      owner /home/*/.pki/nssdb/*.txt r,
      owner /home/*/Documents/*.png r,
      owner /home/*/Documents/*.txt rw,
      owner /home/*/Downloads/*.jpeg rw,
      owner /home/*/Downloads/*.jpeg.crdownload rw,
      owner /home/*/Downloads/*.txt rw,
      owner /home/*/Downloads/*.txt.crdownload rw,
      owner /home/*/Downloads/terabyte_drive_image_*.exe rw,
      owner /proc/*/clear_refs rw,
      owner /proc/*/cmdline r,
      owner /proc/*/gid_map rw,
      owner /proc/*/oom_score_adj rw,
      owner /proc/*/setgroups rw,
      owner /proc/*/statm r,
      owner /proc/*/status r,
      owner /proc/*/task/*/status r,
      owner /proc/*/task/?????/status r,
      owner /proc/*/uid_map rw,
      owner /{media,mnt,opt,srv}/** mrw,
    
    }
    
    
    
    File name: opt.microsoft.msedge-beta.microsoft-edge-beta

    Code:
    # Last Modified: Wed Dec 22 16:17:03 2021
    #include <tunables/global>
    
    /opt/microsoft/msedge-beta/microsoft-edge-beta {
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/consoles>
      #include <abstractions/opencl-pocl>
      #include <abstractions/totem>
      #include <abstractions/ubuntu-browsers.d/plugins-common>
      #include <abstractions/ubuntu-konsole>
    
      capability sys_admin,
    
      /opt/microsoft/msedge-beta/msedge Px,
      /proc/*/stat r,
      /proc/filesystems r,
      /proc/meminfo r,
      /proc/stat r,
      /proc/sys/crypto/fips_enabled r,
      /proc/sys/fs/inotify/max_user_watches r,
      /run/udev/data/n? r,
      /sys/devices/**/uevent r,
      /sys/devices/*/*/*/*/bConfigurationValue r,
      /sys/devices/*/*/*/*/manufacturer r,
      /sys/devices/*/*/*/*/product r,
      /sys/devices/*/*/*/*/serial r,
      /sys/devices/platform/*/uevent r,
      /sys/devices/system/cpu/online r,
      /sys/devices/virtual/dmi/id/product_name r,
      /sys/devices/virtual/dmi/id/sys_vendor r,
      /usr/bin/cat mrix,
      /usr/bin/dirname mrix,
      /usr/bin/mkdir mrix,
      /usr/bin/readlink mrix,
      /{media,mnt,opt,srv}/** mr,
      owner "/home/*/.cache/microsoft-edge-beta/Default/Code Cache/*/*/temp-index" rw,
      owner "/home/*/.config/microsoft-edge-beta/*/*/*/*/Ruleset Data" r,
      owner "/home/*/.config/microsoft-edge-beta/Ad Blocking/.com.*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Ad Blocking/blocklist" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Extension Scripts/LOG" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Login Data" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Network Action Predictor" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Network Action Predictor-journal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Secure Preferences" r,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/*/*/temp-index" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Service Worker/*/*/the-real-index" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics */" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics */*.log" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics */*.old" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics */CURRENT" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics */LOCK" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics */LOG" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Site Characteristics */MANIFEST-*" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Top Sites" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Top Sites-journal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Visited Links" rw,
      owner "/home/*/.config/microsoft-edge-beta/Default/Web Data" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Default/Web Data-journal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Diagnostic Data" rwk,
      owner "/home/*/.config/microsoft-edge-beta/Diagnostic Data-wal" rw,
      owner "/home/*/.config/microsoft-edge-beta/Last Version" rw,
      owner "/home/*/.config/microsoft-edge-beta/Local State" rw,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Advertising" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Analytics" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/CompatExceptions" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Content" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Cryptomining" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Entities" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Fingerprinting" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Other" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Social" r,
      owner "/home/*/.config/microsoft-edge-beta/Trust Protection Lists/*/*/Staging" r,
      owner /dev/shm/.com.* rw,
      owner /dev/shm/?????? rw,
      owner /dev/shm/sem.Smartscreen-* rw,
      owner /home/*/.Xauthority r,
      owner /home/*/.cache/Microsoft/Edge/IdentityCache/FileAccessLock rwk,
      owner /home/*/.cache/fontconfig/*.cache-* r,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/*/*/the-real-index rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/*/*_? rw,
      owner /home/*/.cache/microsoft-edge-beta/Default/*/*/index r,
      owner /home/*/.cache/microsoft-edge-beta/PnaclTranslationCache/data_? rw,
      owner /home/*/.cache/microsoft-edge-beta/PnaclTranslationCache/index rw,
      owner /home/*/.config/*.dirs r,
      owner /home/*/.config/gtk-3.0/*.css r,
      owner /home/*/.config/gtk-3.0/*.ini r,
      owner /home/*/.config/microsoft-edge-beta/*.txt rw,
      owner /home/*/.config/microsoft-edge-beta/*/*.dat rwk,
      owner /home/*/.config/microsoft-edge-beta/*/*.pma rw,
      owner /home/*/.config/microsoft-edge-beta/*/*.store r,
      owner /home/*/.config/microsoft-edge-beta/**.fingerprint r,
      owner /home/*/.config/microsoft-edge-beta/*/*/*.json r,
      owner /home/*/.config/microsoft-edge-beta/*/*/*.txt r,
      owner /home/*/.config/microsoft-edge-beta/*/*/*/*.json r,
      owner /home/*/.config/microsoft-edge-beta/*/*/cache rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/crl-set r,
      owner /home/*/.config/microsoft-edge-beta/*/*/download_cache rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/edgeSettings r,
      owner /home/*/.config/microsoft-edge-beta/*/*/edgeSettings_2.0-* r,
      owner /home/*/.config/microsoft-edge-beta/*/*/synchronousLookupUris rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/synchronousLookupUris_* rw,
      owner /home/*/.config/microsoft-edge-beta/*/*/topTraffic r,
      owner /home/*/.config/microsoft-edge-beta/*/*/topTraffic_* r,
      owner /home/*/.config/microsoft-edge-beta/*/*/warnStateCache rw,
      owner /home/*/.config/microsoft-edge-beta/*/campaign_history rwk,
      owner /home/*/.config/microsoft-edge-beta/.com.* rw,
      owner /home/*/.config/microsoft-edge-beta/BrowserMetrics/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*.db rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*.db-shm rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*.db-wal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*.msbak rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*.old rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*.db rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/**.dbtmp rw,
      owner /home/*/.config/microsoft-edge-beta/Default/**.log rw,
      owner /home/*/.config/microsoft-edge-beta/Default/**.old rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*.ldb rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*.tmp rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*.txt rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/*/temp-index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/*/the-real-index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/*_? rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*/*/index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/*_? rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/? rw,
      owner /home/*/.config/microsoft-edge-beta/Default/**/CURRENT rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/LOCK rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/LOG rw,
      owner /home/*/.config/microsoft-edge-beta/Default/**/MANIFEST-* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/*/index r,
      owner /home/*/.config/microsoft-edge-beta/Default/*/LOCK rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/LOG rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/Session_* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/Tabs_* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/campaign_history rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/collectionsSQLite rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/*/data_* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/*/leveldb/ rw,
      owner /home/*/.config/microsoft-edge-beta/Default/.com.* rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Bookmarks r,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/odfafepnkmbhccpbejgmiehpchacaeak/*/*.html r,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/odfafepnkmbhccpbejgmiehpchacaeak/**.json r,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/odfafepnkmbhccpbejgmiehpchacaeak/**.css r,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/odfafepnkmbhccpbejgmiehpchacaeak/**.js r,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/odfafepnkmbhccpbejgmiehpchacaeak/*/*/*.png r,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/odfafepnkmbhccpbejgmiehpchacaeak/*/*/*.svg r,
      owner /home/*/.config/microsoft-edge-beta/Default/Extensions/odfafepnkmbhccpbejgmiehpchacaeak/*/*/*/*/*.woff2 r,
      owner /home/*/.config/microsoft-edge-beta/Default/Favicons rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/Favicons-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/GPUCache/index rw,
      owner /home/*/.config/microsoft-edge-beta/Default/History rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/History-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/LOCK rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/LOG rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Preferences rw,
      owner /home/*/.config/microsoft-edge-beta/Default/PreferredApps r,
      owner /home/*/.config/microsoft-edge-beta/Default/QuotaManager rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/QuotaManager-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/Shortcuts rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/Shortcuts-journal rw,
      owner /home/*/.config/microsoft-edge-beta/Default/WebAssistDatabase rwk,
      owner /home/*/.config/microsoft-edge-beta/Default/WebAssistDatabase-journal rw,
      owner /home/*/.config/microsoft-edge-beta/GrShaderCache/GPUCache/data_? rw,
      owner /home/*/.config/microsoft-edge-beta/GrShaderCache/GPUCache/index rw,
      owner /home/*/.config/microsoft-edge-beta/ShaderCache/GPUCache/data_? rw,
      owner /home/*/.config/microsoft-edge-beta/ShaderCache/GPUCache/index rw,
      owner /home/*/.config/microsoft-edge-beta/SingletonCookie rw,
      owner /home/*/.config/microsoft-edge-beta/SingletonLock rw,
      owner /home/*/.config/microsoft-edge-beta/SingletonSocket rw,
      owner /home/*/.config/microsoft-edge-beta/WidevineCdm/*/*.json r,
      owner /home/*/.config/microsoft-edge-beta/WidevineCdm/.com.* rw,
      owner /home/*/.config/microsoft-edge-beta/WidevineCdm/latest-component-updated-widevine-cdm rw,
      owner /home/*/.local/share/.com.* rw,
      owner /home/*/.pki/nssdb/*.db rwk,
      owner /home/*/.pki/nssdb/*.txt r,
      owner /home/*/Downloads/*.txt rw,
      owner /home/*/Downloads/*.txt.crdownload rw,
      owner /proc/*/??/?? rw,
      owner /proc/*/clear_refs rw,
      owner /proc/*/cmdline r,
      owner /proc/*/oom_score_adj rw,
      owner /proc/*/statm r,
      owner /proc/*/status r,
      owner /proc/*/task/?????/status r,
      owner /{media,mnt,opt,srv}/** mrw,
    
    }
    
    **Disclaimer** you use these at your own risk, but if you encounter problems, the easiest way to resole is:

    1. sudo aa-complain /path/to/bin
    2. clear the syslogs using file clearsyslogs.sh
    3. open the browser and use it a bit, then close
    4. sudo aa-logprof run through the profiling one at a time and create rules permissions until the profiling is completed
    5. sudo service apparmor reload
    6. sudo aa-enforce /path/to/bin
    7. open browser again to see if issues are resolved
    If not, repeat steps 1-7. Good luck!

    EDIT

    Modified opt.microsoft.msedge-beta.msedge profile with removal of some redundant entries.

    Also posted proper file names for each profile.
     
    Last edited: Jan 8, 2022
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    BTW, there may be those who belittle the effectiveness of Apparmor with unsubstantiated claims, but here are two examples of it effectively blocking an unauthorized download and attempted installation of an extension from the Edge-beta browser:

    linux downlod denied.png

    chrome extension denied.png

    As long as the profile(s) are built with an approach that balances program restrictiveness with usability, it is a strong security measure against malicious activities attempting to exploit the confined program.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Thanks for bringing up AppArmor again, @wat0114 ! Nice posts! (Although I will certainly never use a spyware like Edge on my Linux system ;) )

    I won't comment the profiles in detail. Just saying that for my taste the Firefox profile seems to be a bit too fine-grained regarding the rules for ~/.mozilla and ~/.cache/mozilla. It should also be mentioned that, AFAIK, on Ubuntu-based distros the AppArmor profile for Firefox should be enabled by default and should work without problems. I think this also applies to, e.g., LibreOffice.

    I'd like to add that one could simplify life a bit by adding some aliases or functions to ~/.bashrc , e.g.:

    Code:
    alias aas="sudo aa-status"
    alias aasp="sudo aa-status --pretty-json"
    alias aal="sudo aa-logprof"
    
    aac()
    {
     sudo aa-complain /etc/apparmor.d/$1 && sudo systemctl reload apparmor
     
    }
    
    aae()
    {
      sudo aa-enforce /etc/apparmor.d/$1 && sudo systemctl reload apparmor
    }
    
    aad()
    {
      sudo aa-disable /etc/apparmor.d/$1 && sudo systemctl reload apparmor
    }
    So if you want to set the, e.g., Firefox profile to enforce mode (or reload it after making changes) you could just input

    Code:
    aae *.firefox
    As another hint, one could also combine AppArmor with Firejail to get an extremely strong sandbox.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thanks @summerheat !

    You are the one and only person I could think of who might have taken an interest in this, although I hope to spark the interest of others :)

    Yes, my tendency is to create path rules more granular than they probably need to be, just because I lean more toward security, rather than covering more ground with wide-ranging rules. I can't help myself ;)

    As for included Firefox profiles in Ubuntu-based distros, I haven't seen one in years, including latest MX releases. Thanks for the alias tips, although I usually just type Ctrl-R, then the first two or three letters of the command I want, or even the Up arrow key for a very recently used command.
     
    Last edited: Jan 8, 2022
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I hope so, too! I think that most users are afraid of the complexity involved. Sure - using AppArmor and particularly creating profiles requires some learning. On the other hand, there are many profiles available in /usr/share/apparmor/extra-profiles which can be copied to /etc/apparmor.d if required. They are often not "mature" as the README in that folder says but they can be used as a starting point by setting them to complain mode and adding rules with aa-logprof if necessary.

    I think for AppArmor newbies it's important to note that a self-written profile (which might actually be too permissive) cannot worsen the security of a system: AppArmor cannot nullify or bypass existing constraints (e.g. file permissions) - it can only apply additional contraints on top of existing security mechanisms. Hence, nobody needs to be afraid to introduce new vulnerabilities by using AppArmor. And if an application doesn't work anymore after setting the respective profile to enforce mode, it's easy to add rules by executing aa-logprof, or set it to complain mode again or disable it. Learning by doing! (Regarding deny rules: these remarks which I once added to the Arch wiki might be worth reading.)

    Well, with uBO as the only add-on it's certainly easier to follow such a strategy. :) Anyway, if it works for you all is well.

    Well, MX is Debian-based. But if I remember correctly on my wife's Kubuntu system the Firefox profile was enabled by default. This table seems to confirm that.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    That's good to know about Deny rules, especially that they are enforced in complain mode. I've got only a few to somewhat tame Edge's telemetry. Btw, I use Edge in Linux to view Netflix streaming content, and I guess also because I believe the Linux sandbox is very strong.

    I even downloaded the apparmor extra-profiles for MX-21, and Firefox profile was not included. However, a quick search and I found one here from 2019:

    https://github.com/nibags/apparmor-profiles/blob/master/apparmor.d/usr.bin.firefox

    I don't have the requisite knowledge to create a profile as fancy as it and others that include #comments, but it feels more rewarding all the same to create my own. I also notice there is no Discrete profile execute mode used anywhere (Px) to scrub the environment, only inherit execute (ix).
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Px can only be used if the respective helper applications has its own AppArmor profile.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Of course :thumb:
     
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    Hi,:thumb:
    nice work.
    MS Edge has as many as 7 internal policies (7 registry keys) for the security control of extensions:

    https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensions-policies
     
    Last edited: Jan 8, 2022
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thank you, Sampei! Although in Linux it's a rather different ball of wax, as Apparmor confines with file paths and no registry is present. One of the the several path rules for uBlock Origin is, for example:
    Code:
    owner /home/*/.config/microsoft-edge-beta/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/**/addon/ rw, 
    The extension ID from the Chrome Store for is cjpalhdln... The profile I posted allows only for this extension from the Chrome Store and nothing else. If one wanted to add another extension, they would have to run steps 1-7 from my first post, installing the extension after step 1, then follow up with 2-7, and quite likely repeating 1-7 again.

    It's one reason why I mentioned time and patience is required for utilizing Apparmor. It's a rather tedious process that in the end rewards one with a significant increase in the confined program's level of security.
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I guess only interesting for @wat0114 and, possibly, recently @Mrkvonic : I found this github repository offering about 1,200 AppArmor profiles for Arch, Debian 11 and Ubuntu.

    If you want to install them, you have to execute this command:

    Code:
    git clone  https://github.com/roddhjav/apparmor.d.git
    cd into apparmor.d and follow the steps mentioned here. However, before you do that you should take into account that not only a lot of applications but also, e.g., systemd services and other crucial stuff will be confined by those profiles. Hence, it cannot be ruled out that your system might not boot anymore. That's why the author recommends that the profiles should be set into complain mode first, and the user should familiarize him-/herself with system recovery. Backing up your system beforehand is always a good idea. Alternatively, you can install specific profiles only by executing

    Code:
    sudo ./pick <profiles-name>
    in the apparmor.d directory.

    Are those profiles of good quality? I don't know as I haven't checked them thoroughly so far. But they are, at least, a good place to learn about AppArmor and to compare them with your own self-written profiles. And the idea to confine your (more or less) complete system with AppArmor is somehow intriguing. Although some may say that it's overkill ...

    Noteworthy is that in the apparmor.d/groups/browsers folder the profiles for the browsers therein are separated into several profiles by creating a special one for, e.g., brave-sandbox or firefox-plugin-container. Those profiles are called in the main profile with rPx. (Alternatively, they could have been added to the main profile as child profiles -> Cx.) Interesting idea to make those profiles even tighter and certainly worth a look.
     
    Last edited: Sep 2, 2022
  12. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,325
    Location:
    US
    Actually, summerheat, you can add my name to those interested. But I'd be lying if I said that I understood even 1/4th of this, still learning. Thanks for posting.
    Acadia
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Welcome to the club :thumb: So now there are 4 of us :D

    If it comes to learning, this Ubuntu documentation gives a short overview. Much more comprehensive is the documentation on the AppArmor gitlab site.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Wow that's a boatload of profiles I'll check out later when time permits. Thanks for this summerheat :thumb:
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @wat0114 : I always wanted to mention this but forgot about it: Your msedge-beta.msedge profile contains those lines:

    Code:
    ptrace read peer=/opt/microsoft/msedge-beta/msedge//null-/opt/microsoft/msedge-beta/microsoft-edge-beta//null-/opt/microsoft/msedge-beta/msedge,
    ptrace read peer=/opt/microsoft/msedge-beta/msedge//null-/usr/bin/xdg-settings,
    Such rules referring to "null" sometimes appear although I cannot really explain why. They are always a bit irrittating. But anyway - by executing

    Code:
    sudo aa-remove-unknown -n
    you can display the profile names to be removed. Omitting the -n removes them immediately.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thanks summerheat. However, when I run that command nothing is displayed. Even if I omit the -n they still exist. I've no idea what those null rules meant, so I've always just created them from the log profiling.
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Just to clarify: not those lines but the null-profiles will be removed. I noticed, though, that they usually vanish after some time (or if you clear syslog and audit.log, respectively). But as long as they exist they are a bit irritating as they are also taken into account by aa-logprof. By executing aa-remove-unknown you can get rid of them immediately.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Oh, okay, thanks. I'll check whenever I go back into Linux again.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I've played with the profiles from this project for a while, and here is my verdict: Don't use it as advertised - for 2 reasons:

    1. The impressing number of 1,400 profiles include critical executables/services like systemd, polkit etc. Although all profiles are set into complain mode by default the deny rules in many profiles and abstractions can still break your system at next boot. If you still want to try it, you should make yourself familiar with system recovery or try it in a VM first.
    2. An irritating and annoying problem is the following one: All profiles use the @{exec_path} variable - which is actually a nice idea. Unfortunately, this causes problems if more than one profile uses that variable due to this AppArmor bug which breaks the AppArmor userland tools. In other words: those tools like, e.g., aa-complain, aa-enforce and aa-logprof produce errors when executed. While manually setting one profile into enforce mode is easy (by removing the complain flag and reloading AppArmor), doing this for many profiles is a tedious work without aa-enforce. And the tool aa-log which comes with that project is nice but not a replacement for aa-logprof as adding rules interactively is not possible. Hence, as long as the mentioned bug isn't fixed by upstream, this is a no-go for me.

    Nevertheless, I like this project as it is a great learning place, gives many ideas for profiles you can add to your list, and provides an opportunity to streamline your self-made profiles. I suggest to use it the following way:

    1. Gradually install individual profiles as needed with the pick approach mentioned earlier. Those profiles will be set into complain mode.
    2. pick will also install the (additional) abstractions needed by those profiles and provided by the project. However, it does not install the profiles for helper applications called via Px ! Hence, you should check if the profiles you want to install contain such lines and install the profiles for those helper applications as well - otherwise those calls will come to nothing and will probably produce errors.
    3. In order to avoid the above mentioned breakage of the userland tools you should remove the @{exec_path} variable in those newly installed profiles. Example: The Firefox profile contains those lines:
    Code:
    @{MOZ_LIBDIR}  = /{usr/,}lib/firefox{,-esr}
    @{MOZ_LIBDIR} += /opt/firefox{,-esr}
    @{MOZ_HOMEDIR} = @{HOME}/.mozilla
    @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
    profile firefox @{exec_path} flags=(attach_disconnected) {
    
    ...
    @{exec_path} mrix,
    Edit it to look it this way:
    Code:
    @{MOZ_LIBDIR}  = /{usr/,}lib/firefox{,-esr}
    @{MOZ_LIBDIR} += /opt/firefox{,-esr}
    @{MOZ_HOMEDIR} = @{HOME}/.mozilla
    # @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
    profile firefox @{MOZ_LIBDIR}/firefox{,-bin,-esr} flags=(attach_disconnected) {
    
    ...
    @{MOZ_LIBDIR}/firefox{,-bin,-esr} mrix,
    and reload AppArmor (on distros with systemd by executing sudo systemctl reload apparmor).
    4. Test those profiles for a while and add rules with aa-logprof if needed. Then set them into enforce mode.
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Firefox, AppArmor & self-update - Tutorial

    You take my self, you take my self control. Here's a tutorial showing how to configure non-standard editions of Firefox like standalone Dev or Nightly tar builds for automatic self-update when using an AppArmor security hardening profile. Have fun.

    https://www.dedoimedo.com/computers/apparmor-firefox-self-update.html


    Cheers,
    Mrk
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Just an update to my post. The issues mentioned therein seem to be resolved by now. A full installation should normally not cause problems as all profiles are installed in complain mode by default. Among the various desktop environments Gnome and KDE (still WIP but already rather stable) are supported. Just in case that you don't reach your graphical login screen you should be able to switch to a TTY with, e.g., Ctrl-Alt-F3, execute aa-logprof to see if anything was blocked (by a deny rule?), or you can temporarily disable apparmor with sudo systemctl disable apparmor. Nevertheless it's a good idea to make yourself familiar with system recovery just in case. But again, this should normally not be necessary.

    Installation instructions: https://apparmor.pujol.io/install/
    Speeding up AppArmor start: https://apparmor.pujol.io/configuration/
    Usage: https://apparmor.pujol.io/usage/
    Setting the profiles into enforce mode: https://apparmor.pujol.io/enforce/ - This does not apply to profiles which are considered unstable by the author.
     
  22. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Apparmor popup notification:

    AppArmor notification reads: apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=2196 comm="cups-browsed" capability=23 capname="sys_nice"

    The location of entry is in: /var/log/kern.log
    Also see another popup message about debugging Apparmor think here:
    https://wiki.ubuntu.com/DebuggingApparmor
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Well cups-browsed has to do with a printer server. Are you printing over a network and if so, are you encountering issues? Also, what is causing the "Apparmor popup notification"? in my experience I never see Apparmor pop-ups. Rather, I need to run from a terminal: sudo aa-logproff to see an output for anything an enforced Apparmor profile has blocked.
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, it seems that desktop notifications via aa-notify are set up on @Compu KTed 's system.

    This means that the cups-browsed process requests the sys_nice capability in order to change the process priority. It is sometimes the case that a process requests something which doesn't necessarily mean that it really needs it. So if everything works as it should you can ignore that. However, frequent pop-ups can be annoying, of course. To get rid of them you have the following choices:

    1. Deactivate desktop notifications via aa-notify and execute - as @wat0114 suggested - sudo aa-logprof if something doesn't work.
    2. sudo aa-logprof lets you interactively add rules to your profiles. Tutorials are, e.g., this and this one. However, such individual rules added to profiles that are pre-installed on your system will be gone when AppArmor will be updated. So rules suggested by aa-logprof should only be added to profiles you created yourself. If it comes to adding rules to pre-installed profiles I suggest to add them to the respective file under /etc/apparmor.d/local. E.g. you will see in the cups-browsed profile this line:
    Code:
    include <local/cups-browsed>
    Hence, you can manually add the following rule (as suggested by aa-logprof) to /etc/apparmor.d/local/cups-browsed:
    Code:
    capability sys_nice,
    This means that you allow this capability for cups-browsed. Don't forget the comma at the end!

    Or you could add the following rule to that file:
    Code:
    deny capability sys_nice,
    This means that you explicitly deny this capability (as cups-browsed works without it) - and the deny rule also has the effect that this request will no longer appear in aa-logprof or aa-notify.

    In either case you should reload AppArmor by executing sudo systemctl reload apparmor.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    For some reason that command has never worked for me, and this is goinf back several years. I guess because my system doesn't boot using systemd? What always has worked is: sudo service apparmor reload

    apparmor reload.png
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.