I have been trying to create a PureBrowser apparmor profile based on Firefox. I have turned off read access to all directories, which are on in the Firefox browser profile by default. (I may apply audit at some point, but I think this is way too loose.)
I have been sorting out differences as a result. First, I am wondering what ~/.cache/mesa_shader_code is. Is that for updates? Second, PureBrowser seems to require a lot of hardware access under /sys/devices/*, particularly PCI, /dev/dir, and /run/user/. I wonder if they should be “deny”-ed as noise. I do not understand why a browser needs such information.
I would appreciate if someone knowledgeable chimed in on these directory permissions. Thanks.
@Wayne This is a very worthwhile effort and I’m sure many others would be interested in applying this PureBrowser apparmor profile once you wrap it up, if you feel like sharing!
I would like to when it is finished, as it would be nice to have several knowing eyes looking at it. But, I am just learning, so it is one thing to screw up myself, rather another to mess someone else up. We shall see how far I get before throwing in the towel; I have been tempted already.
I have seen others plead for a PureBrowser profile in this Forum, and I agree. In fairness to the Purism staff and the apparmor ones, who disable Firefox by default, this is really hard, especially if one clamps down on the permissions and still tries to generalize. That thing has its tentacles everywhere, even if it does not need it.