# Bodhi.Zazen's current firefox profile # Please note this is for : # Ubuntu 9.10 # Modified from an original profile from Jamie Strandboge #include /usr/lib/firefox-3.5.*/firefox { #include #include #include #include #include #include #include #include #include #include # for networking network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, # sounds /etc/sound/ r, /etc/sound/** r, /etc/wildmidi/wildmidi.cfg r, # should maybe be in abstractions /etc/ r, /etc/gnome/defaults.list r, /etc/mime.types r, /etc/mailcap r, /usr/bin/dbus-launch ixr, # firefox specific /etc/firefox-3.*/ r, /etc/firefox-3.*/** r, /etc/xulrunner-1.9*/ r, /etc/xulrunner-1.9*/** r, /etc/gre.d/ r, /etc/gre.d/* r, # noisy deny /usr/lib/firefox-3.*/** w, deny /usr/lib/firefox-addons/** w, deny /usr/lib/xulrunner-addons/** w, # These are needed when a new user starts firefox and firefox.sh is used /usr/lib/firefox-3.*/** ixr, /usr/bin/basename ixr, /sbin/killall5 ixr, /bin/which ixr, @{PROC}/ r, @{PROC}/[0-9]*/cmdline r, @{PROC}/[0-9]*/stat r, @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, capability sys_ptrace, /etc/mtab r, @{PROC}/[0-9]*/mounts r, @{PROC}/[0-9]*/maps r, # allow access to documentation and other files the user may want to look # at in /usr /usr/ r, /usr/** r, # so browsing directories works / r, /**/ r, # allow read and write to all user's files, except explicitly denied ones owner @{HOME}/ r, owner @{HOME}/{Desktop,Documents,Downloads}/ rw, owner @{HOME}/{Desktop,Documents,Downloads}/** rw, owner @{HOME}/Firefox_wallpaper* rw, #include audit deny @{HOME}/.ssh/** mrwkl, owner @{HOME}/.gnome2/accels/ rw, owner @{HOME}/.gnome2/accels/** rw, owner @{HOME}/.gnome2_private/ mrwkl, owner @{HOME}/.gnome2_private/** mrwkl, @{HOME}/.cache/ rw, @{HOME}/.cache/** rwmk, @{HOME}/.gnome2/ rw, @{HOME}/.gnome2/** rwmk, @{HOME}/.local/ r, @{HOME}/.local/** r, # comment this out if using gpg plugin/addons owner @{HOME}/.gnupg/** mrwkl, # per-user firefox configuration @{HOME}/.mozilla/ rw, @{HOME}/.mozilla/** rwmk, # per-user common plugin configuration @{HOME}/.icedteaplugin/ rw, @{HOME}/.icedteaplugin/** rw, @{HOME}/.adobe/ rw, @{HOME}/.adobe/** rw, @{HOME}/.esd_auth rw, @{HOME}/.macromedia/ rw, @{HOME}/.macromedia/** rw, @{HOME}/.java/ rw, @{HOME}/.java/** rwk, # # Plugins/helpers # @{PROC}/[0-9]*/fd/ r, /usr/lib/** rm, /bin/bash ixr, /bin/dash ixr, /bin/grep ixr, /bin/ps Uxr, /bin/uname Uxr, /usr/bin/m4 ixr, /usr/bin/gnome-open ixr, /usr/lib/nspluginwrapper/i386/linux/npviewer Uxr, /var/lib/ r, /var/lib/** mr, # noisy deny /usr/share/mozilla/extensions/**/ w, deny /usr/lib/mozilla/extensions/**/ w, deny /usr/lib/firefox-3.*/update.test w, # for maximum plugin/helper compatibility #/usr/bin/* Uxr, #/usr/lib/*/** ixr, # # For stricter access, comment out the 'maximum plugin/helper compatibility' # lines above and uncomment these # # evince has its own profile, so change to it /usr/bin/evince PUxr, # miscellaneous #/usr/bin/eog Uxr, /usr/bin/gedit Uxr, /usr/bin/gimp* Uxr, /usr/bin/file-roller Uxr, /usr/bin/ooffice Uxr, /usr/bin/oocalc Uxr, /usr/bin/oodraw Uxr, /usr/bin/ooimpress Uxr, /usr/bin/oowriter Uxr, /usr/bin/python*/* ixr, # totem /usr/lib/totem/** ixr, /usr/bin/totem-gstreamer Uxr, /usr/bin/totem-xine Uxr, /usr/bin/totem Uxr, # mozplugger /etc/mozpluggerrc r, /usr/bin/mozplugger-helper Uxr, /usr/bin/mplayer Uxr, # java /usr/lib/jvm/java-6-openjdk/jre/bin/java Uxr, /etc/java-*-sun/** r, /usr/lib/jvm/java-*-sun-1.*/jre/bin/java Uxr, }