Dodany przez: Apparmor - firefox, 18:40 17-08-2015

Nowy Pobierz
  1.  
  2.  
  3. #include <tunables/global>
  4.  
  5. /usr/lib64/firefox/firefox {
  6.   #include <abstractions/X>
  7.   #include <abstractions/audio>
  8.   #include <abstractions/base>
  9.   #include <abstractions/cups-client>
  10.   #include <abstractions/dbus-session>
  11.   #include <abstractions/fonts>
  12.   #include <abstractions/freedesktop.org>
  13.   #include <abstractions/gnome>
  14.   #include <abstractions/kde>
  15.   #include <abstractions/nameservice>
  16.   #include <abstractions/nvidia>
  17.   #include <abstractions/private-files>
  18.   #include <abstractions/python>
  19.   #include <abstractions/user-tmp>
  20.  
  21.   #  deny network,
  22.   # deny network,
  23.  
  24.   deny /.suspended r,
  25.   deny /bin/bash x,
  26.   deny /boot/initrd.img* r,
  27.   deny /boot/vmlinuz* r,
  28.   deny /usr/bin/clamscan x,
  29.   deny /usr/bin/which x,
  30.   deny /usr/lib/firefox-3.6.*/** w,
  31.   deny /usr/lib/firefox-3.6.10/update.test w,
  32.   deny /usr/lib/firefox-addons/** w,
  33.   deny /usr/lib/mozilla/extensions/**/ w,
  34.   deny /usr/lib/xulrunner-*/components/*.tmp w,
  35.   deny /usr/lib/xulrunner-addons/** w,
  36.   deny /usr/lib/xulrunner-addons/extensions/**/ w,
  37.   deny /usr/share/mozilla/ w,
  38.   deny /usr/share/mozilla/extensions/**/ w,
  39.   deny /var/cache/fontconfig/ w,
  40.   audit deny @{HOME}/.gnome2_private/** mrwlk,
  41.   audit deny @{HOME}/.gnupg/** mrwlk,
  42.   audit deny @{HOME}/.ssh/** mrwlk,
  43.  
  44.   /bin/ps rUx,
  45.   /bin/uname rUx,
  46.   /dev/nvidia0 rw,
  47.   /dev/nvidiactl rw,
  48.   /etc/firefox*/ r,
  49.   /etc/firefox*/** r,
  50.   /etc/fstab r,
  51.   /etc/gai.conf r,
  52.   /etc/mailcap r,
  53.   /etc/mime.types r,
  54.   /etc/mtab r,
  55.   /etc/nsswitch.conf r,
  56.   /etc/resolv.conf r,
  57.   /etc/timezone r,
  58.   /etc/wildmidi/wildmidi.cfg r,
  59.   /sbin/killall5 rix,
  60.   /sys/devices/system/cpu/present r,
  61.   /sys/devices/**/config  r,
  62.   /sys/bus/pci/devices/   r,
  63.   /tmp/ r,
  64.   owner /tmp/** rwm,
  65.   /tmp/.X[0-9]*-lock r,
  66.   /usr/**/lib{,32,64}/ mr,
  67.   /usr/**/lib{,32,64}/** mr,
  68.   /usr/**/share/ r,
  69.   /usr/**/share/** r,
  70.   /usr/bin/basename rix,
  71.   /usr/bin/dirname rix,
  72.   /usr/bin/evince PUx,
  73.   /usr/bin/geany PUx,
  74.   /usr/bin/clamdscan  PUx,
  75.   /usr/bin/mkfifo rUx,
  76.   /opt/Adobe/flash-player/flash-plugin/libflashplayer.so  r,
  77.    
  78.   /usr/                       r,
  79.   /usr/bin/                   r,
  80.   /usr/*                      rix,
  81.   /usr/bin/*                  rix,
  82.  
  83.  
  84.  
  85.  
  86.  
  87.   /usr/bin/purple-url-handler PUx,
  88.   /usr/bin/wget               PUx,
  89.   /usr/bin/axel               PUx,
  90.   /usr/bin/curl               PUx,
  91.   /usr/bin/gnome-terminal     PUx,
  92.  
  93.  
  94.   /usr/local/bin/mailto PUx,
  95.  
  96.   /usr/bin/pwd rix,
  97.   /usr/bin/python-wrapper PUx,
  98.   /usr/bin/smplayer PUx,
  99.   /usr/bin/steam PUx,
  100.   /usr/bin/totem PUx,
  101.   /usr/bin/tr rix,
  102.   /usr/bin/vlc PUx,
  103.   /usr/bin/which rUx,
  104.  
  105.   /usr/lib64/firefox/** mrix,
  106.   /usr/lib64/firefox/plugin-container PUx,
  107.   /usr/bin/exo-open                   PUx,
  108.   /usr/libexec/gstreamer-0.10/gst-plugin-scanner  rix,
  109.   /usr/lib64/gstreamer-1.0/gst-plugin-scanner     rix,
  110.   /lib{,32,64}/ r,
  111.   /lib{,32,64}/** mr,
  112.   /usr/lib{,32,64}/ r,
  113.   /usr/lib{,32,64}/** mr,
  114.   /usr/local/bin/qtorrent PUx,
  115.   /usr/local/bin/skyper PUx,
  116.   /usr/share/ r,
  117.   /usr/share/** r,
  118.  
  119.    /var/tmp/ r,
  120.  
  121.   owner /var/tmp/** rm,
  122.   owner @{HOME}/ r,
  123.   owner @{HOME}/* r,
  124.   owner @{HOME}/.adobe/ r,
  125.   owner @{HOME}/.adobe/** r,
  126.   owner @{HOME}/.cache/mozilla/ rw,
  127.   owner @{HOME}/.cache/mozilla/** rw,
  128.   owner @{HOME}/.config/ r,
  129.   owner @{HOME}/.config/** r,
  130.   owner @{HOME}/.config/ibus/bus/ rw,
  131.   owner @{HOME}/.local/share/applications/defaults.list r,
  132.   owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  133.   owner @{HOME}/.macromedia/ r,
  134.   owner @{HOME}/.macromedia/** r,
  135.   owner @{HOME}/.mozilla/ r,
  136.   owner @{HOME}/.mozilla/** r,
  137.   owner @{HOME}/.mozilla/firefox/** rwk,
  138.   owner @{HOME}/.icons/**              r,
  139.   owner @{HOME}/.mozilla/**/*.sqlite* k,
  140.   owner @{HOME}/.mozilla/**/stylish.sqlite* rw,
  141.   owner @{HOME}/.mozilla/**/cookies.sqlite* rw,
  142.   owner @{HOME}/.mozilla/**/.parentlock k,
  143.   owner @{HOME}/.mozilla/**/extensions/** mrix,
  144.   owner @{HOME}/.mozilla/**/plugins/** mr,
  145.   owner @{HOME}/.mozilla/firefox/profiles.ini r,
  146.   owner @{HOME}/.mozilla/plugins/** mr,
  147.   owner @{HOME}/.nv/GLCache/ rk,
  148.   owner @{HOME}/.nv/GLCache/** rk,
  149.   owner @{HOME}/.nv/nvidia-application-profile-globals-rc r,
  150.   owner @{HOME}/Public/ r,
  151.   owner @{HOME}/Public/* r,
  152.   owner @{HOME}/mm.cfg rw,
  153.   owner @{HOME}/{Desktop,Downloads}/ r,
  154.   owner @{HOME}/{Desktop,Downloads}/** rw,
  155.   owner @{HOME}/.cache/gstreamer-1.0/**  rw,
  156.  
  157.  
  158.   owner @{PROC}/[0-9]*/cmdline r,
  159.   owner @{PROC}/[0-9]*/fd/ r,
  160.   owner @{PROC}/[0-9]*/fd/* r,
  161.   owner @{PROC}/[0-9]*/maps r,
  162.   owner @{PROC}/[0-9]*/mountinfo r,
  163.   owner @{PROC}/[0-9]*/stat r,
  164.   owner @{PROC}/[0-9]*/statm r,
  165.   owner @{PROC}/[0-9]*/status r,
  166.   owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  167.  
  168.   @{PROC}/[0-9]*/net/if_inet6 r,
  169.   @{PROC}/[0-9]*/net/ipv6_route r,
  170.   @{PROC}/filesystems r,
  171.  
  172. }
  173.  

Źródło:

Ostatnie wpisy

Linki

Funkcje