# Alberto - 2014-03-08
# vim:syntax=apparmor
#include <tunables/global>
/usr/lib/iceweasel/iceweasel {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/fonts>
#include <abstractions/audio>
#include <abstractions/X>
# Access iceweasel files.
/usr/lib/mozilla/** r,
/usr/lib/iceweasel/** r,
/etc/iceweasel/** r,
# Make browsing directories work
/ r,
/**/ r,
# Allow access to documentation and other files the user may want to look
# at in /usr
/usr/{include,share,src}** r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
# Helpers
/usr/bin/xdg-open ixr,
/usr/bin/gnome-open ixr,
/usr/bin/gvfs-open ixr,
# Configuration and caches.
owner @{HOME}/.mozilla/ rw,
owner @{HOME}/.mozilla/** rwk,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/** rwk,
owner @{HOME}/.gnome2/ rw,
owner @{HOME}/.gnome2/** rw,
owner @{HOME}/.gnome2_private/ rw,
owner @{HOME}/.gnome2_private/** rw,
owner @{HOME}/.config/user-dirs.dirs r,
owner /run/user/** rwk,
# System level stuff.
/proc/*/** r,
/usr/lib/** rm,
/var/lib/dbus/machine-id r,
/etc/gnome-vfs-2.0/modules/* r,
/etc/drirc r,
/etc/mozpluggerrc r,
/etc/mime.types r,
/etc/mailcap r,
/sys/devices/system/cpu/present r,
/etc/udev/udev.conf r,
# It needs to run m4 when ran for the first time.
/usr/bin/m4 ixr,
# Run dbus-launch, which runs dbus-daemon if it's not there already.
# We trust it enough to run unrestricted, but after cleaning the
# environment.
/usr/bin/dbus-launch Uxr,
# Run xulrunner/plugin-container.
# Note we need to use lowercase 'c' as Firefox *will* do tricks with the
# environment. It is still under the sub-profile, though.
/usr/lib/xulrunner-*/plugin-container cxr -> plugin_container,
/usr/lib/iceweasel/xulrunner/plugin-container cxr -> plugin_container,
/usr/lib/iceweasel/plugin-container cxr -> plugin_container,
/usr/lib/iceweasel/xulrunner/** rm,
profile plugin_container {
#include <abstractions/base>
#include <abstractions/user-tmp>
#include <abstractions/fonts>
#include <abstractions/audio>
#include <abstractions/X>
@{PROC}/[0-9]*/cmdline r,
# The plugin container needs to run small scripts.
# Let it get a shell, a normal ps, and grep; which seems to be enough.
/bin/dash ixr,
/bin/ps Uxr,
/bin/grep ixr,
# Files it really needs to access (including executable mappings to the
# xulrunner libraries).
/usr/lib/iceweasel/xulrunner/** rm,
/usr/lib/xulrunner-*/** rm,
/usr/lib/iceweasel/plugin-container rm,
# Read, but not write, from our profile.
owner @{HOME}/.mozilla/** r,
/etc/passwd r,
# The flash plugin needs these, both to the directory to create it if it
# doesn't exist, and full access within.
# Note this is the only special place it can write to (other than tmp,
# audio, etc.).
owner @{HOME}/.adobe/ rw,
owner @{HOME}/.adobe/** rw,
owner @{HOME}/.macromedia/ rw,
owner @{HOME}/.macromedia/** rw,
# Miscellaneous things that are required and safe to read.
/usr/share/icons/** r,
/usr/share/themes/** r,
/etc/vdpau_wrapper.cfg r,
/etc/machine-id r,
/etc/ssl/openssl.cnf r,
/usr/lib/ssl/openssl.cnf r,
# We're not giving it full nameservice permissions, but it needs these.
/etc/nsswitch.conf r,
/etc/group r,
/etc/host.conf r,
/etc/resolv.conf r,
/etc/hosts r,
}
}