apparmor: add unconfined profiles for abrowser and icedove.
This commit is contained in:
Luis Guzmán
parent
45b150b801
commit
8233f4de21
4 changed files with 188 additions and 3 deletions
91
helpers/DATA/apparmor/add-extra-abrowser-profile.patch
Normal file
91
helpers/DATA/apparmor/add-extra-abrowser-profile.patch
Normal file
|
|
@ -0,0 +1,91 @@
|
|||
diff --git a/profiles/apparmor/profiles/extras/abrowser b/profiles/apparmor/profiles/extras/abrowser
|
||||
index c7b4aa7c..ed8f01c5 100644
|
||||
--- a/profiles/apparmor/profiles/extras/abrowser
|
||||
+++ b/profiles/apparmor/profiles/extras/abrowser
|
||||
@@ -14,7 +14,7 @@ abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
# Declare some variables to help with variants
|
||||
-@{MOZ_APP_NAME}=firefox{,-esr}
|
||||
+@{MOZ_APP_NAME}=abrowser{,-esr}
|
||||
@{MOZ_LIBDIR}=/usr/lib/@{MOZ_APP_NAME}{,-[0-9]*}
|
||||
@{MOZ_ADDONDIR}=/usr/lib/{@{MOZ_APP_NAME},xulrunner}-addons
|
||||
|
||||
@@ -22,7 +22,7 @@ include <tunables/global>
|
||||
# /usr/lib/firefox-4.0b8/firefox
|
||||
# but not:
|
||||
# /usr/lib/firefox-4.0b8/firefox.sh
|
||||
-profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
+profile abrowser @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
include <abstractions/audio>
|
||||
include <abstractions/cups-client>
|
||||
include <abstractions/dbus-strict>
|
||||
@@ -144,8 +144,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
/etc/wildmidi/wildmidi.cfg r,
|
||||
|
||||
# firefox specific
|
||||
- /etc/firefox*/ r,
|
||||
- /etc/firefox*/** r,
|
||||
+ /etc/abrowser*/ r,
|
||||
+ /etc/abrowser*/** r,
|
||||
/etc/xul-ext/** r,
|
||||
/etc/xulrunner{,-[0-9]*}/ r,
|
||||
/etc/xulrunner{,-[0-9]*}/** r,
|
||||
@@ -234,12 +234,12 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
owner @{HOME}/.thumbnails/*/*.png r,
|
||||
|
||||
# per-user firefox configuration
|
||||
- owner @{HOME}/.{firefox,mozilla}/ rw,
|
||||
- owner @{HOME}/.{firefox,mozilla}/** rw,
|
||||
- owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
|
||||
- owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
|
||||
- owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
|
||||
- owner @{HOME}/.gnome2/firefox* rwk,
|
||||
+ owner @{HOME}/.{abrowser,mozilla}/ rw,
|
||||
+ owner @{HOME}/.{abrowser,mozilla}/** rw,
|
||||
+ owner @{HOME}/.{abrowser,mozilla}/**/*.{db,parentlock,sqlite}* k,
|
||||
+ owner @{HOME}/.{abrowser,mozilla}/plugins/** rm,
|
||||
+ owner @{HOME}/.{abrowser,mozilla}/**/plugins/** rm,
|
||||
+ owner @{HOME}/.gnome2/abrowser* rwk,
|
||||
owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
|
||||
owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
|
||||
owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite k,
|
||||
@@ -440,7 +440,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
owner @{HOME}/.mozilla/**/extensions/** mixr,
|
||||
|
||||
# Widevine CDM plugin (LP: #1777070)
|
||||
- owner @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/libwidevinecdm.so m,
|
||||
+ owner @{HOME}/.mozilla/abrowser/*/gmp-widevinecdm/*/libwidevinecdm.so m,
|
||||
|
||||
deny @{MOZ_LIBDIR}/update.test w,
|
||||
deny /usr/lib/mozilla/extensions/**/ w,
|
||||
@@ -458,7 +458,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
|
||||
/usr/bin/lsb_release Pxr -> lsb_release,
|
||||
|
||||
- # These should be started outside of Firefox
|
||||
+ # These should be started outside of abrowser
|
||||
deny /usr/bin/dbus-launch x,
|
||||
deny /usr/bin/speech-dispatcher x,
|
||||
|
||||
@@ -466,6 +466,6 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
||||
include if exists <abstractions/ubuntu-browsers.d/firefox>
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
- include if exists <local/usr.bin.firefox>
|
||||
- include if exists <local/firefox>
|
||||
+ include if exists <local/usr.bin.abrowser>
|
||||
+ include if exists <local/abrowser>
|
||||
}
|
||||
diff --git a/debian/apparmor-profiles.install b/debian/apparmor-profiles.install
|
||||
index d12ab262..a6ea623d 100644
|
||||
--- a/debian/apparmor-profiles.install
|
||||
+++ b/debian/apparmor-profiles.install
|
||||
@@ -86,6 +86,7 @@ usr/share/apparmor/extra-profiles/usr.lib.GConf.2.gconfd-2
|
||||
usr/share/apparmor/extra-profiles/usr.lib.RealPlayer10.realplay
|
||||
usr/share/apparmor/extra-profiles/usr.lib.bonobo.bonobo-activation-server
|
||||
usr/share/apparmor/extra-profiles/usr.lib.evolution-data-server.evolution-data-server-1.10
|
||||
+usr/share/apparmor/extra-profiles/abrowser
|
||||
usr/share/apparmor/extra-profiles/firefox
|
||||
usr/share/apparmor/extra-profiles/firefox.sh
|
||||
usr/share/apparmor/extra-profiles/usr.lib.firefox.mozilla-xremote-client
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
diff --git a/profiles/apparmor.d/abrowser b/profiles/apparmor.d/abrowser
|
||||
index c4b6337f..8a3ac9ec 100644
|
||||
--- a/profiles/apparmor.d/abrowser
|
||||
+++ b/profiles/apparmor.d/abrowser
|
||||
@@ -4,9 +4,9 @@
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
-profile firefox /usr/lib/firefox{,-esr,-beta,-devedition,-nightly}/firefox{,-esr,-bin} flags=(unconfined) {
|
||||
+profile abrowser /usr/lib/abrowser{,-esr,-beta,-devedition,-nightly}/abrowser{,-esr,-bin} flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
- include if exists <local/firefox>
|
||||
+ include if exists <local/abrowser>
|
||||
}
|
||||
diff --git a/profiles/apparmor.d/icedove b/profiles/apparmor.d/icedove
|
||||
index 060eb24d..667b1674 100644
|
||||
--- a/profiles/apparmor.d/icedove
|
||||
+++ b/profiles/apparmor.d/icedove
|
||||
@@ -4,9 +4,9 @@
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
-profile thunderbird /usr/bin/thunderbird flags=(unconfined) {
|
||||
+profile icedove /usr/bin/icedove flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
- include if exists <local/thunderbird>
|
||||
+ include if exists <local/icedove>
|
||||
}
|
||||
diff --git a/debian/apparmor.install b/debian/apparmor.install
|
||||
index 79c8700e..2971e426 100644
|
||||
--- a/debian/apparmor.install
|
||||
+++ b/debian/apparmor.install
|
||||
@@ -68,6 +68,7 @@ etc/apparmor.d/sbuild-update
|
||||
etc/apparmor.d/sbuild-upgrade
|
||||
etc/apparmor.d/slirp4netns
|
||||
etc/apparmor.d/stress-ng
|
||||
+etc/apparmor.d/icedove
|
||||
etc/apparmor.d/thunderbird
|
||||
etc/apparmor.d/toybox
|
||||
etc/apparmor.d/trinity
|
||||
@@ -83,6 +84,7 @@ etc/apparmor.d/1password
|
||||
etc/apparmor.d/Discord
|
||||
etc/apparmor.d/MongoDB_Compass
|
||||
etc/apparmor.d/code
|
||||
+etc/apparmor.d/abrowser
|
||||
etc/apparmor.d/firefox
|
||||
etc/apparmor.d/github-desktop
|
||||
etc/apparmor.d/obsidian
|
||||
27
helpers/DATA/apparmor/update-profile-extra-firefox-sh.patch
Normal file
27
helpers/DATA/apparmor/update-profile-extra-firefox-sh.patch
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
diff --git a/profiles/apparmor/profiles/extras/firefox.sh b/profiles/apparmor/profiles/extras/firefox.sh
|
||||
index fb75c5b6..83a7404c 100644
|
||||
--- a/profiles/apparmor/profiles/extras/firefox.sh
|
||||
+++ b/profiles/apparmor/profiles/extras/firefox.sh
|
||||
@@ -22,3 +22,22 @@ profile firefox.sh /usr/lib/firefox/firefox.sh {
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/firefox.sh>
|
||||
}
|
||||
+
|
||||
+profile firefox.sh /usr/lib/abrowser/firefox.sh {
|
||||
+ include <abstractions/base>
|
||||
+ include <abstractions/bash>
|
||||
+ include <abstractions/consoles>
|
||||
+
|
||||
+ deny capability sys_ptrace,
|
||||
+
|
||||
+ /{usr/,}bin/basename rix,
|
||||
+ /{usr/,}bin/bash rix,
|
||||
+ /{usr/,}bin/grep rix,
|
||||
+ /etc/magic r,
|
||||
+ /usr/bin/file rix,
|
||||
+ /usr/lib/abrowser/abrowser px,
|
||||
+ /usr/share/misc/magic.mgc r,
|
||||
+
|
||||
+ # Site-specific additions and overrides. See local/README for details.
|
||||
+ include if exists <local/firefox.sh>
|
||||
+}
|
||||
|
|
@ -17,14 +17,29 @@
|
|||
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
#
|
||||
|
||||
VERSION=0
|
||||
VERSION=1
|
||||
|
||||
. ./config
|
||||
|
||||
# Apply fix for pipewire on apparmor, see more at:
|
||||
# https://bugs.launchpad.net/apparmor/+bug/2003702
|
||||
patch --no-backup-if-mismatch -p1 < $DATA/b5a7641dd3502fcfb897d3b96e197628b674ce3c.patch
|
||||
patch_p1 $DATA/b5a7641dd3502fcfb897d3b96e197628b674ce3c.patch
|
||||
|
||||
changelog "Apply fix LP:2003702 for pidgin like clients."
|
||||
# Add custom unconfined profiles for abrowser and icedove, deliberately patch
|
||||
# upon an original upstream profile copy to force track original files and
|
||||
# update patch accordinlgy, as it's an important security feature starting
|
||||
# at upstream 23.10:
|
||||
# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
|
||||
|
||||
cp profiles/apparmor.d/{thunderbird,icedove}
|
||||
cp profiles/apparmor.d/{firefox,abrowser}
|
||||
patch_p1 $DATA/add-unconfined-profile-firefox-icedove.patch
|
||||
|
||||
cp profiles/apparmor/profiles/extras/{firefox,abrowser}
|
||||
patch_p1 $DATA/add-extra-abrowser-profile.patch
|
||||
# Note: look for updates on abrowser.sh profile on each helper/patch change:
|
||||
patch_p1 $DATA/update-profile-extra-firefox-sh.patch
|
||||
|
||||
changelog "Apply fix LP:2003702 for pidgin like clients. | Add unconfined profiles for firefox and icedove."
|
||||
|
||||
package
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue