apparmor: add icecat profiles for ecne

2025-07-18 01:26:59 -06:00 · 2025-07-18 01:26:59 -06:00 · de8087afd0
commit de8087afd0
parent 2a88e15ae0
5 changed files with 231 additions and 102 deletions
--- a/helpers/DATA/apparmor/002-add-unconfined-profile-firefox-icedove-icecat.patch
+++ b/helpers/DATA/apparmor/002-add-unconfined-profile-firefox-icedove-icecat.patch
@ -30,8 +30,24 @@ index 060eb24d..667b1674 100644
 -  include if exists <local/thunderbird>
 +  include if exists <local/icedove>
 }
 diff --git a/profiles/apparmor.d/icecat b/profiles/apparmor.d/icecat
 index 4071c345..148e445e 100644
 --- a/profiles/apparmor.d/icecat
 +++ b/profiles/apparmor.d/icecat
@@ -4,9 +4,9 @@
 abi <abi/4.0>,
 include <tunables/global>
 -profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
 +profile icecat /{usr/lib/icecat{,-esr,-beta,-devedition,-nightly},opt/icecat}/icecat{,-esr,-bin} flags=(unconfined) {
   userns,
   # Site-specific additions and overrides. See local/README for details.
 -  include if exists <local/firefox>
 +  include if exists <local/icecat>
 }
 diff --git a/debian/apparmor.install b/debian/apparmor.install
-index 79c8700e..2971e426 100644
+index 9cdaa3a2..d9ee697c 100644
 --- a/debian/apparmor.install
 +++ b/debian/apparmor.install
@@ -68,6 +68,7 @@ etc/apparmor.d/sbuild-update
@ -42,11 +58,13 @@ index 79c8700e..2971e426 100644
 etc/apparmor.d/thunderbird
 etc/apparmor.d/toybox
 etc/apparmor.d/trinity
-@@ -83,6 +84,7 @@ etc/apparmor.d/1password
+@@ -83,7 +84,9 @@ etc/apparmor.d/1password
 etc/apparmor.d/Discord
 etc/apparmor.d/MongoDB_Compass
 etc/apparmor.d/code
 +etc/apparmor.d/abrowser
 etc/apparmor.d/firefox
 +etc/apparmor.d/icecat
 etc/apparmor.d/github-desktop
 etc/apparmor.d/obsidian
 etc/apparmor.d/opera
--- a/helpers/DATA/apparmor/003-add-extra-abrowser-profile.patch
+++ b/helpers/DATA/apparmor/003-add-extra-abrowser-profile.patch
@ -1,91 +0,0 @@
 diff --git a/profiles/apparmor/profiles/extras/abrowser b/profiles/apparmor/profiles/extras/abrowser
 index c7b4aa7c..ed8f01c5 100644
 --- a/profiles/apparmor/profiles/extras/abrowser
 +++ b/profiles/apparmor/profiles/extras/abrowser
@@ -14,7 +14,7 @@ abi <abi/4.0>,
 include <tunables/global>
 # Declare some variables to help with variants
 -@{MOZ_APP_NAME}=firefox{,-esr}
 +@{MOZ_APP_NAME}=abrowser{,-esr}
 @{MOZ_LIBDIR}=/usr/lib/@{MOZ_APP_NAME}{,-[0-9]*}
 @{MOZ_ADDONDIR}=/usr/lib/{@{MOZ_APP_NAME},xulrunner}-addons
@@ -22,7 +22,7 @@ include <tunables/global>
 #  /usr/lib/firefox-4.0b8/firefox
 # but not:
 #  /usr/lib/firefox-4.0b8/firefox.sh
 -profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
 +profile abrowser @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   include <abstractions/audio>
   include <abstractions/cups-client>
   include <abstractions/dbus-strict>
@@ -144,8 +144,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   /etc/wildmidi/wildmidi.cfg r,
   # firefox specific
 -  /etc/firefox*/ r,
 -  /etc/firefox*/** r,
 +  /etc/abrowser*/ r,
 +  /etc/abrowser*/** r,
   /etc/xul-ext/** r,
   /etc/xulrunner{,-[0-9]*}/ r,
   /etc/xulrunner{,-[0-9]*}/** r,
@@ -234,12 +234,12 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.thumbnails/*/*.png r,
   # per-user firefox configuration
 -  owner @{HOME}/.{firefox,mozilla}/ rw,
 -  owner @{HOME}/.{firefox,mozilla}/** rw,
 -  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
 -  owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
 -  owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
 -  owner @{HOME}/.gnome2/firefox* rwk,
 +  owner @{HOME}/.{abrowser,mozilla}/ rw,
 +  owner @{HOME}/.{abrowser,mozilla}/** rw,
 +  owner @{HOME}/.{abrowser,mozilla}/**/*.{db,parentlock,sqlite}* k,
 +  owner @{HOME}/.{abrowser,mozilla}/plugins/** rm,
 +  owner @{HOME}/.{abrowser,mozilla}/**/plugins/** rm,
 +  owner @{HOME}/.gnome2/abrowser* rwk,
   owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite k,
@@ -440,7 +440,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.mozilla/**/extensions/** mixr,
   # Widevine CDM plugin (LP: #1777070)
 -  owner @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/libwidevinecdm.so m,
 +  owner @{HOME}/.mozilla/abrowser/*/gmp-widevinecdm/*/libwidevinecdm.so m,
   deny @{MOZ_LIBDIR}/update.test w,
   deny /usr/lib/mozilla/extensions/**/ w,
@@ -458,7 +458,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   /usr/bin/lsb_release Pxr -> lsb_release,
 -  # These should be started outside of Firefox
 +  # These should be started outside of abrowser
   deny /usr/bin/dbus-launch x,
   deny /usr/bin/speech-dispatcher x,
@@ -466,6 +466,6 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   include if exists <abstractions/ubuntu-browsers.d/firefox>
   # Site-specific additions and overrides. See local/README for details.
 -  include if exists <local/usr.bin.firefox>
 -  include if exists <local/firefox>
 +  include if exists <local/usr.bin.abrowser>
 +  include if exists <local/abrowser>
 }
 diff --git a/debian/apparmor-profiles.install b/debian/apparmor-profiles.install
 index d12ab262..a6ea623d 100644
 --- a/debian/apparmor-profiles.install
 +++ b/debian/apparmor-profiles.install
@@ -86,6 +86,7 @@ usr/share/apparmor/extra-profiles/usr.lib.GConf.2.gconfd-2
 usr/share/apparmor/extra-profiles/usr.lib.RealPlayer10.realplay
 usr/share/apparmor/extra-profiles/usr.lib.bonobo.bonobo-activation-server
 usr/share/apparmor/extra-profiles/usr.lib.evolution-data-server.evolution-data-server-1.10
 +usr/share/apparmor/extra-profiles/abrowser
 usr/share/apparmor/extra-profiles/firefox
 usr/share/apparmor/extra-profiles/firefox.sh
 usr/share/apparmor/extra-profiles/usr.lib.firefox.mozilla-xremote-client
--- a/helpers/DATA/apparmor/003-add-extra-profile-for-abrowser-icecat.patch
+++ b/helpers/DATA/apparmor/003-add-extra-profile-for-abrowser-icecat.patch
@ -0,0 +1,173 @@
 diff --git a/profiles/apparmor/profiles/extras/icecat b/profiles/apparmor/profiles/extras/icecat
 index cbe1aa80..71813e99 100644
 --- a/profiles/apparmor/profiles/extras/icecat
 +++ b/profiles/apparmor/profiles/extras/icecat
@@ -14,7 +14,7 @@ abi <abi/4.0>,
 include <tunables/global>
 # Declare some variables to help with variants
 -@{MOZ_APP_NAME}=firefox{,-esr}
 +@{MOZ_APP_NAME}=icecat{,-esr}
 @{MOZ_LIBDIR}=/usr/lib/@{MOZ_APP_NAME}{,-[0-9]*}
 @{MOZ_ADDONDIR}=/usr/lib/{@{MOZ_APP_NAME},xulrunner}-addons
@@ -22,7 +22,7 @@ include <tunables/global>
 #  /usr/lib/firefox-4.0b8/firefox
 # but not:
 #  /usr/lib/firefox-4.0b8/firefox.sh
 -profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
 +profile icecat @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   include <abstractions/audio>
   include <abstractions/cups-client>
   include <abstractions/dbus-strict>
@@ -144,8 +144,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   /etc/wildmidi/wildmidi.cfg r,
   # firefox specific
 -  /etc/firefox*/ r,
 -  /etc/firefox*/** r,
 +  /etc/icecat*/ r,
 +  /etc/icecat*/** r,
   /etc/xul-ext/** r,
   /etc/xulrunner{,-[0-9]*}/ r,
   /etc/xulrunner{,-[0-9]*}/** r,
@@ -234,12 +234,12 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.thumbnails/*/*.png r,
   # per-user firefox configuration
 -  owner @{HOME}/.{firefox,mozilla}/ rw,
 -  owner @{HOME}/.{firefox,mozilla}/** rw,
 -  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
 -  owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
 -  owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
 -  owner @{HOME}/.gnome2/firefox* rwk,
 +  owner @{HOME}/.{icecat,mozilla}/ rw,
 +  owner @{HOME}/.{icecat,mozilla}/** rw,
 +  owner @{HOME}/.{icecat,mozilla}/**/*.{db,parentlock,sqlite}* k,
 +  owner @{HOME}/.{icecat,mozilla}/plugins/** rm,
 +  owner @{HOME}/.{icecat,mozilla}/**/plugins/** rm,
 +  owner @{HOME}/.gnome2/icecat* rwk,
   owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite{,-shm} k,
@@ -440,7 +440,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.mozilla/**/extensions/** mixr,
   # Widevine CDM plugin (LP: #1777070)
 -  owner @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/libwidevinecdm.so m,
 +  owner @{HOME}/.mozilla/icecat/*/gmp-widevinecdm/*/libwidevinecdm.so m,
   deny @{MOZ_LIBDIR}/update.test w,
   deny /usr/lib/mozilla/extensions/**/ w,
@@ -458,7 +458,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   /usr/bin/lsb_release Pxr -> lsb_release,
 -  # These should be started outside of Firefox
 +  # These should be started outside of icecat
   deny /usr/bin/dbus-launch x,
   deny /usr/bin/speech-dispatcher x,
@@ -466,6 +466,6 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   include if exists <abstractions/ubuntu-browsers.d/firefox>
   # Site-specific additions and overrides. See local/README for details.
 -  include if exists <local/usr.bin.firefox>
 -  include if exists <local/firefox>
 +  include if exists <local/usr.bin.icecat>
 +  include if exists <local/icecat>
 }
 diff --git a/profiles/apparmor/profiles/extras/firefox b/profiles/apparmor/profiles/extras/abrowser
 index cbe1aa80..2fb77651 100644
 --- a/profiles/apparmor/profiles/extras/firefox
 +++ b/profiles/apparmor/profiles/extras/abrowser
@@ -14,7 +14,7 @@ abi <abi/4.0>,
 include <tunables/global>
 # Declare some variables to help with variants
 -@{MOZ_APP_NAME}=firefox{,-esr}
 +@{MOZ_APP_NAME}=abrowser{,-esr}
 @{MOZ_LIBDIR}=/usr/lib/@{MOZ_APP_NAME}{,-[0-9]*}
 @{MOZ_ADDONDIR}=/usr/lib/{@{MOZ_APP_NAME},xulrunner}-addons
@@ -22,7 +22,7 @@ include <tunables/global>
 #  /usr/lib/firefox-4.0b8/firefox
 # but not:
 #  /usr/lib/firefox-4.0b8/firefox.sh
 -profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
 +profile abrowser @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   include <abstractions/audio>
   include <abstractions/cups-client>
   include <abstractions/dbus-strict>
@@ -144,8 +144,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   /etc/wildmidi/wildmidi.cfg r,
   # firefox specific
 -  /etc/firefox*/ r,
 -  /etc/firefox*/** r,
 +  /etc/abrowser*/ r,
 +  /etc/abrowser*/** r,
   /etc/xul-ext/** r,
   /etc/xulrunner{,-[0-9]*}/ r,
   /etc/xulrunner{,-[0-9]*}/** r,
@@ -234,12 +234,12 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.thumbnails/*/*.png r,
   # per-user firefox configuration
 -  owner @{HOME}/.{firefox,mozilla}/ rw,
 -  owner @{HOME}/.{firefox,mozilla}/** rw,
 -  owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
 -  owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
 -  owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
 -  owner @{HOME}/.gnome2/firefox* rwk,
 +  owner @{HOME}/.{abrowser,mozilla}/ rw,
 +  owner @{HOME}/.{abrowser,mozilla}/** rw,
 +  owner @{HOME}/.{abrowser,mozilla}/**/*.{db,parentlock,sqlite}* k,
 +  owner @{HOME}/.{abrowser,mozilla}/plugins/** rm,
 +  owner @{HOME}/.{abrowser,mozilla}/**/plugins/** rm,
 +  owner @{HOME}/.gnome2/abrowser* rwk,
   owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite{,-shm} k,
@@ -440,7 +440,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.mozilla/**/extensions/** mixr,
   # Widevine CDM plugin (LP: #1777070)
 -  owner @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/libwidevinecdm.so m,
 +  owner @{HOME}/.mozilla/abrowser/*/gmp-widevinecdm/*/libwidevinecdm.so m,
   deny @{MOZ_LIBDIR}/update.test w,
   deny /usr/lib/mozilla/extensions/**/ w,
@@ -458,7 +458,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   /usr/bin/lsb_release Pxr -> lsb_release,
 -  # These should be started outside of Firefox
 +  # These should be started outside of abrowser
   deny /usr/bin/dbus-launch x,
   deny /usr/bin/speech-dispatcher x,
@@ -466,6 +466,6 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   include if exists <abstractions/ubuntu-browsers.d/firefox>
   # Site-specific additions and overrides. See local/README for details.
 -  include if exists <local/usr.bin.firefox>
 -  include if exists <local/firefox>
 +  include if exists <local/usr.bin.abrowser>
 +  include if exists <local/abrowser>
 }
 diff --git a/debian/apparmor-profiles.install b/debian/apparmor-profiles.install
 index 5cecd9dd..62531edb 100644
 --- a/debian/apparmor-profiles.install
 +++ b/debian/apparmor-profiles.install
@@ -88,8 +88,10 @@ usr/share/apparmor/extra-profiles/usr.lib.GConf.2.gconfd-2
 usr/share/apparmor/extra-profiles/usr.lib.RealPlayer10.realplay
 usr/share/apparmor/extra-profiles/usr.lib.bonobo.bonobo-activation-server
 usr/share/apparmor/extra-profiles/usr.lib.evolution-data-server.evolution-data-server-1.10
 +usr/share/apparmor/extra-profiles/abrowser
 usr/share/apparmor/extra-profiles/firefox
 usr/share/apparmor/extra-profiles/firefox.sh
 +usr/share/apparmor/extra-profiles/icecat
 usr/share/apparmor/extra-profiles/usr.lib.firefox.mozilla-xremote-client
 usr/share/apparmor/extra-profiles/usr.lib.man-db.man
 usr/share/apparmor/extra-profiles/postfix-anvil
--- a/helpers/DATA/apparmor/004-update-profile-extra-firefox-sh.patch
+++ b/helpers/DATA/apparmor/004-update-profile-extra-firefox-sh.patch
@ -1,8 +1,8 @@
 diff --git a/profiles/apparmor/profiles/extras/firefox.sh b/profiles/apparmor/profiles/extras/firefox.sh
-index fb75c5b6..83a7404c 100644
+index fb75c5b6..7b23cd83 100644
 --- a/profiles/apparmor/profiles/extras/firefox.sh
 +++ b/profiles/apparmor/profiles/extras/firefox.sh
-@@ -22,3 +22,22 @@ profile firefox.sh /usr/lib/firefox/firefox.sh {
+@@ -22,3 +22,41 @@ profile firefox.sh /usr/lib/firefox/firefox.sh {
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/firefox.sh>
 }
@ -25,3 +25,22 @@ index fb75c5b6..83a7404c 100644
 +  # Site-specific additions and overrides. See local/README for details.
 +  include if exists <local/firefox.sh>
 +}
 +
 +profile firefox.sh /usr/lib/icecat/firefox.sh {
 +  include <abstractions/base>
 +  include <abstractions/bash>
 +  include <abstractions/consoles>
 +
 +  deny capability sys_ptrace,
 +
 +  /{usr/,}bin/basename rix,
 +  /{usr/,}bin/bash rix,
 +  /{usr/,}bin/grep rix,
 +  /etc/magic r,
 +  /usr/bin/file rix,
 +  /usr/lib/icecat/icecat px,
 +  /usr/share/misc/magic.mgc r,
 +
 +  # Site-specific additions and overrides. See local/README for details.
 +  include if exists <local/firefox.sh>
 +}
--- a/helpers/make-apparmor
+++ b/helpers/make-apparmor
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#    Copyright (C) 2024 Luis Guzmán <ark@switnet.org>
+#    Copyright (C) 2025 Luis Guzmán <ark@switnet.org>
 #
 #    This program is free software; you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
@ -17,7 +17,7 @@
 #    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 #
-VERSION=3
+VERSION=4
 . ./config
@ -28,17 +28,27 @@ VERSION=3
 # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
 cp profiles/apparmor.d/{thunderbird,icedove}
-cp profiles/apparmor.d/{firefox,abrowser}
+for i in abrowser icecat
-patch_p1 $DATA/002-add-unconfined-profile-firefox-icedove.patch
+do
    cp profiles/apparmor.d/firefox profiles/apparmor.d/$i
 done
 patch_p1 $DATA/002-add-unconfined-profile-firefox-icedove-icecat.patch
-cp profiles/apparmor/profiles/extras/{firefox,abrowser}
+for i in abrowser icecat
-patch_p1 $DATA/003-add-extra-abrowser-profile.patch
+do
    cp profiles/apparmor/profiles/extras/firefox \
       profiles/apparmor/profiles/extras/$i
 done
 patch_p1 $DATA/003-add-extra-profile-for-abrowser-icecat.patch
 # Note: look for updates on abrowser.sh profile on each helper/patch change:
 patch_p1 $DATA/004-update-profile-extra-firefox-sh.patch
 # Update trasnmission apparmor profile to fix daemon management
 patch_p1 $DATA/005-update_trasnmission_profile_for_daemon_service_fix.patch
-changelog "Apply fix LP:2003702 for pidgin like clients. | Add unconfined profiles for firefox and icedove. | Improve transmission daemon service profile to improve management."
+changelog "Apply fix LP:2003702 for pidgin like clients.
 Add unconfined profiles for firefox and icedove.
 Improve transmission daemon service profile to improve management.
 Add custom profiles for icecat"
 package