From 572172f9afed646b0366bf3bfb37b7b70647750d Mon Sep 17 00:00:00 2001
From: Moritz Heiber <hello@heiber.im>
Date: Mon, 18 Nov 2024 15:00:42 +0100
Subject: [PATCH] Extend apparmor profile for firefox so that is can manage its
 own memory and external USB devices

---
 mitamae/apparmor.rb | 26 ++++++++++++++++++++++++++
 mitamae/mitamae.rb  |  1 +
 2 files changed, 27 insertions(+)
 create mode 100644 mitamae/apparmor.rb

diff --git a/mitamae/apparmor.rb b/mitamae/apparmor.rb
new file mode 100644
index 0000000..c1c407d
--- /dev/null
+++ b/mitamae/apparmor.rb
@@ -0,0 +1,26 @@
+apparmor_content = <<~APPARMOR
+/sys/class/ r,
+/sys/bus/ r,
+/sys/class/hidraw/ r,
+/run/udev/data/c24{1,7,9}:* r,
+/sys/devices/**/hidraw/hidraw*/uevent r,
+/dev/hidraw* rw,
+
+@{PROC}/[0-9]*/oom_score_adj rw,
+@{PROC}/[0-9]*/cgroup r,
+APPARMOR
+
+firefox_apparmor_file = '/etc/apparmor.d/local/usr.bin.firefox'
+
+file firefox_apparmor_file do
+  action :edit
+  block do |content|
+    content << apparmor_content
+  end
+  not_if "grep -qFx '#{apparmor_content.lines.first.strip}' #{firefox_apparmor_file}"
+  notifies :restart, 'service[apparmor]', :immediately
+end
+
+service 'apparmor' do
+  action :nothing
+end
diff --git a/mitamae/mitamae.rb b/mitamae/mitamae.rb
index 099107c..5004089 100644
--- a/mitamae/mitamae.rb
+++ b/mitamae/mitamae.rb
@@ -17,6 +17,7 @@
 include_recipe 'apt'
 include_recipe 'repos'
 include_recipe 'packages'
+include_recipe 'apparmor'
 include_recipe 'docker'
 include_recipe 'hashicorp'
 include_recipe 'configuration'