Firefox apparmor profile

Generated on OpenSUSE 12.2, things might be a little different on *buntu. Just wanted to share it, and wondering what editing it could use.

Code:

# Last Modified: Wed Feb 13 18:07:20 2013
#include <tunables/global>

/usr/lib/firefox/firefox {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  deny capability sys_ptrace,



  deny /bin/bash rx,

  /bin/ps rix,
  /dev/dri/* rw,
  /dev/shm/ r,
  /dev/shm/* rw,
  /dev/tty rw,
  /etc/** r,
  /home/*/.ICEauthority r,
  /home/*/.adobe/**/ r,
  /home/*/.config/* r,
  /home/*/.fontconfig/* r,
  /home/*/.gstreamer-0.10/* r,
  /home/*/.local/** rw,
  /home/*/.macromedia/** rw,
  /home/*/.mozilla/** rwk,
  /home/*/.pulse-cookie rwk,
  /home/*/Downloads/* rw,
  /proc/ r,
  /proc/*/cmdline r,
  /proc/*/fd/ r,
  /proc/*/mountinfo r,
  /proc/*/stat r,
  /proc/*/status r,
  /proc/cpuinfo r,
  /proc/filesystems r,
  /proc/meminfo r,
  /proc/sys/kernel/pid_max r,
  /proc/tty/drivers r,
  /proc/uptime r,
  /sys/devices/system/cpu/present r,
  /tmp/ r,
  /tmp/* rw,
  /tmp/** w,
  /usr/** r,
  /usr/bin/grep rix,
  /usr/lib/firefox/plugin-container rix,
  /usr/lib{,32,64}/** mr,
  /var/** r,

}

This is basically the unedited output of an aa-genprof run.

- First off, I'm using /usr/lib/firefox/firefox because /usr/bin/firefox points to a shell script... Yay.

- As you can see, I used globbing, a lot. I figured letting Firefox read from most of the filesystem (/usr, /var, etc.) would be fine. On the other hand, in home directories it can only read from and write to ~/Downloads and a few other places.

- I denied it from launching bash on general principles. Why should a browser ever need to launch an interactive shell?

- I'm not entirely sure what sys_ptrace is, but it looks as though Firefox doesn't need it.

- All the stuff in /proc, I kind of wonder about. How much info does it need about all the stuff I'm running?

- Likewise rw permission to the world-writeable areas: /tmp, /var/tmp, /dev/shm. Maybe I should limit this? That might be difficult to do sanely; OTOH I don't want it clobbering something else's temp files, that would be a huge hazard.

- I should really read up on some of the flags. I figured inheritance means that a launched process inherits the same AppArmor profile? Yeah... I should really read up on this stuff.

- Finally, it seems like HTML5 videos don't work with this setup. Anything in particular I need for that?

Thanks in advance...

Edit: oh yeah, one more note - I did do a simple test on this, trying to make Firefox open a downloaded archive in File-roller. The test seemed to indicate that AppArmor was working, insofar as the archive manager was unable to launch.

Edit 2: also, if you want custom GTK2 themes to work, you have to add the following line:

Code:

  /home/*/.themes/** r,

Edit 3: Flash stopped working until I gave rw access to the audio devices:

Code:

  /dev/snd/** rw,

This seems unwise though. Wouldn't the above allow Firefox to also record audio, which I definitely don't want?