Secure Firefox with AppArmor
To „lock down“ Firefox on an openSUSE 11.3 machine, I used the four AppArmor profiles you find below. The first is an openSUSE default profile and the second is based on the openSUSE default profile. My changes include support for PulseAudio sound and the Flash plugin, where the latter is realized with local profiles that are stronger confined than Firefox itself. Finally, I added permission for Zotero requirements.
# /etc/apparmor.d/usr.lib.firefox.firefox.sh
#include
/usr/lib/firefox/firefox.sh {
#include
#include
#include
deny capability sys_ptrace,
/bin/basename rix,
/bin/bash rix,
/bin/grep rix,
/etc/magic r,
/usr/bin/file rix,
/usr/lib/firefox/firefox px,
/usr/share/misc/magic.mgc r,
}
# /etc/apparmor.d/usr.lib.firefox.firefox
#include
/usr/lib/firefox/firefox {
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
deny /usr/lib/firefox/firefox.sh x,
deny /usr/lib/mozilla/extensions/*/ w,
/bin/bash ix,
/bin/uname ix,
/etc/gai.conf r,
/etc/gnome-vfs-2.0/modules/ r,
/etc/gre.d/ r,
/etc/gre.d/* r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/opt/kde3/share/applications/ r,
/etc/opt/kde3/share/applications/mimeinfo.cache r,
owner @{HOME}/.ICEauthority r,
owner @{HOME}/.beagle/ToIndex/* rw,
owner @{HOME}/.fontconfig/* r,
owner @{HOME}/.icons/ r,
owner @{HOME}/.local/share/applications/ r,
owner @{HOME}/.local/share/applications/* r,
owner @{HOME}/.local/share/mime/* r,
owner @{HOME}/.mozilla/extensions/** rw,
owner @{HOME}/.mozilla/firefox/** rw,
owner @{HOME}/.mozilla/firefox/**.sqlite* k,
owner @{HOME}/.mozilla/firefox/**/.parentlock k,
/opt/kde3/share/applications/ r,
/opt/kde3/share/applications/mimeinfo.cache r,
owner @{PROC}/*/mounts r,
owner @{PROC}/*/fd/ r,
@{PROC}/meminfo r,
@{PROC}/sys/kernel/ngroups_max r,
/usr/bin/tr ix,
/usr/bin/which ix,
/usr/lib/**.so mr,
/usr/lib/firefox/firefox rix,
/usr/lib/libproxy/pxgconf ix,
/usr/lib/nspluginwrapper/*/linux/npviewer rcx -> npviewer,
/usr/lib/xulrunner-*/plugin-container cx -> plugin_container,
/usr/local/share/applications/ r,
/usr/local/share/applications/* r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
/usr/share/locale-bundle/**.mo r,
/usr/share/mime/**.xml r,
/usr/share/mozilla/extensions/** r,
/usr/share/myspell/* r,
/var/cache/gio-2.0/defaults.list r,
/var/cache/libx11/compose/* r,
owner /var/run/gdm/*/database r,
profile npviewer {
#include
#include
#include
/bin/bash rix,
/bin/uname rix,
/usr/bin/tr rix,
/usr/bin/which rix,
/usr/lib/nspluginwrapper/*/linux/npviewer.bin rix,
}
profile plugin_container {
#include
#include
#include
#include
#include
deny /etc/passwd r,
deny @{PROC}/uptime r,
deny @{HOME}/.mozilla/firefox/profiles.ini r,
/bin/bash ix,
/bin/grep ix,
/bin/ps ix,
owner @{PROC}/*/fd/ r,
owner @{PROC}/*/stat r,
owner /var/run/gdm/*/database r,
owner @{HOME}/.adobe/Flash_Player/**/ w,
owner @{HOME}/.adobe/Flash_Player/AssetCache/ r,
owner @{HOME}/.macromedia/Flash_Player/** rw,
}
# Zotero-specific rules
owner @{HOME}/.mozilla/firefox/*/zotero/pdfinfo-Linux-* cx -> zotero_tools,
owner @{HOME}/.mozilla/firefox/*/zotero/pdftotext-Linux-* cx -> zotero_tools,
owner @{HOME}/.zoteroIntegrationPipe rw,
/usr/bin/evince Ux,
/usr/bin/mkfifo ix,
profile zotero_tools {
#include
owner @{HOME}/.mozilla/firefox/*/zotero/storage/*/* r,
owner @{HOME}/.mozilla/firefox/*/zotero/storage/*/.zotero-ft-info w,
owner @{HOME}/.mozilla/firefox/*/zotero/storage/*/.zotero-ft-cache w,
}
}
# /etc/apparmor.d/abstractions/pulseaudio
/dev/shm/ r,
owner /dev/shm/pulse-shm-* rw,
/dev/snd/* rw,
/etc/alsa-pulse.conf r,
/etc/asound-pulse.conf r,
/etc/pulse/client.conf r,
owner @{HOME}/.pulse-cookie rwk,
/usr/bin/pulseaudio px,
/usr/share/alsa/** r,
/usr/share/sounds/** r,
/var/lib/dbus/machine-id r,
# vim:syntax=apparmor
# /etc/apparmor.d/usr.bin.pulseaudio
#include
/usr/bin/pulseaudio {
#include
}