Willkommen hier bei uns Tariin ☺
/etc/apparmor.d/usr.bin.firefox_eigene
# Last Modified: Sep 04 2018
@{MOZ_LIBDIR} = /usr/lib/firefox
#include <tunables/global>
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
# Declare an apparmor variable to help with overrides
# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-accessibility-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dbus-strict>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/p11-kit>
# Removed:
# include <abstractions/ubuntu-browsers.d/firefox>
#include <abstractions/ubuntu-unity7-base>
#include <abstractions/ubuntu-unity7-launcher>
#include <local/usr.bin.firefox>
network inet stream,
network inet6 stream,
network unix stream,
dbus (send) bus=session peer=(name=org.a11y.Bus),
dbus (receive) bus=session interface=org.a11y.atspi**,
dbus (receive, send) bus=accessibility,
dbus (send) bus=system path=/org/freedesktop/NetworkManager member=state,
dbus (receive) bus=system path=/org/freedesktop/NetworkManager,
dbus (send) bus=session interface=org.gtk.gio.DesktopAppInfo member=Launched,
dbus (send) bus=session path=/org/gnome/GConf/Server member=GetDefaultDatabase,
dbus (send) bus=session path=/org/gnome/GConf/Database/* member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (send) bus=system path=/org/freedesktop/UPower member=EnumerateDevices interface=org.freedesktop.UPower,
ptrace trace peer=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\},
# Folders to read and write Firefox
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Öffentlich/ r,
owner @{HOME}/Öffentlich/* r,
# /usr/bin/clementine rUx,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /run/udev/data/** r,
deny /usr/bin/gconftool-2 x,
deny /usr/lib/firefox-addons/** w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
deny @{MOZ_LIBDIR}/** w,
deny @{MOZ_LIBDIR}/update.test w,
/ r,
/**/ r,
/bin/ps rUx,
/bin/uname rUx,
/bin/which rix,
/dev/shm/* rw,
/etc/ r,
/etc/** r,
/etc/firefox*/ r,
/etc/firefox*/** r,
/etc/fstab r,
/etc/gre.d/ r,
/etc/gre.d/* r,
/etc/ld.so.preload r,
/etc/lsb-release r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/timezone r,
/etc/udev/udev.conf r,
/etc/wildmidi/wildmidi.cfg r,
/etc/xdg/*buntu/applications/defaults.list r,
/etc/xfce4/defaults.list r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/adobe/** r,
/opt/ r,
/opt/** r,
/proc/*/attr/current r,
/proc/*/net/arp r,
/proc/*/loginuid r,
/sbin/killall5 rix,
/sys/ r,
/sys/** r,
/sys/devices/pci*/** r,
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/platform/**/uevent r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
/sys/devices/system/node/node0/meminfo r,
/sys/kernel/security/apparmor/features/dbus/mask r,
owner /tmp/** m,
/tmp/.X[0-9]*-lock r,
/usr/ r,
/usr/** r,
/usr/bin/basename rix,
/usr/bin/dbus-daemon rix,
/usr/bin/dbus-launch rix,
/usr/bin/dirname rix,
/usr/bin/expr ix,
/usr/bin/lsb_release rCx -> lsb_release,
/usr/bin/mkfifo rUx,
/usr/bin/pwd rix,
/usr/bin/tr rix,
/usr/lib/xulrunner-*/plugin-container rix,
/usr/share/xubuntu/applications/defaults.list r,
owner /var/tmp/** m,
owner /{,var/}run/shm/shmfd-* rw,
owner /{,var/}run/user/*/dconf/user w,
owner @{HOME}/ r,
owner @{HOME}/.cache/mozilla/firefox/** rw,
owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
owner @{HOME}/.cache/mozilla/{,firefox/} rw,
owner @{HOME}/.cache/thumbnails/** rw,
owner @{HOME}/.config/dconf/user w,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
owner @{HOME}/.gnome2/firefox* rwk,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner @{HOME}/.mozilla/**/extensions/** mrix,
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** mr,
owner @{HOME}/.{firefox,mozilla}/plugins/** mr,
@{MOZ_LIBDIR}/** rix,
@{PROC}/ r,
owner @{PROC}/[0-9]*/auxv r,
@{PROC}/[0-9]*/cmdline r,
owner @{PROC}/[0-9]*/environ r,
@{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/wireless r,
owner @{PROC}/[0-9]*/smaps r,
@{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/statm r,
@{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/filesystems r,
@{PROC}/sys/vm/overcommit_memory r,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
deny /tmp/gtalkplugin.log w,
/bin/dash rix,
/etc/debian_version r,
/etc/lsb-release r,
/etc/ld.so.preload r,
/usr/bin/ r,
/usr/bin/dpkg-query rix,
/usr/bin/lsb_release r,
/usr/bin/python3.[0-5] r,
/usr/include/python2.[4567]/pyconfig.h r,
/usr/local/lib/python3.[0-5]/dist-packages/ r,
/var/lib/dpkg/** r,
/tmp/ibus-* r,
/usr/share/distro-info/debian.csv r,
/etc/default/apport r,
/etc/apt/apt.conf.d/* r,
}
}
Das obige Profil habe ich mal im Netz gefunden und so überarbeitet, dass es verhindert das verschieden wo gespeichert wird, Downloads sind nur nach Downloads möglich, Uploads zb. Photos hier im Forum sind nur aus Downloads und Öffentlich möglich.
Das obige Profil verhindert auh das zb. eine mp3 Datei heruntergeladen und in einem lokal installierten Player geöfffnet wird. Solltet du das ändern wollen sieh dir den auskommentierten Eintrag # /usr/bin/clementine rUx,
an.
Hoffe es hilft.