File: apparmor-profile.abstraction

package info (click to toggle)
papers 49.2-1
  • links: PTS, VCS
  • area: main
  • in suites: forky
  • size: 21,140 kB
  • sloc: ansic: 37,721; sh: 197; xml: 127; makefile: 113
file content (141 lines) | stat: -rw-r--r-- 4,525 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
 
# vim:syntax=apparmor
#
# abstraction used by papers binaries
#

  include <abstractions/gnome>
  include <abstractions/mesa>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/vulkan>
  include <abstractions/p11-kit>
  include <abstractions/ubuntu-helpers>

  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/mountinfo r,
  owner @{PROC}/[0-9]*/auxv r,
  owner @{PROC}/[0-9]*/status r,

  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,

  # move out to the gnome abstraction if anyone else needs these
  /etc/udev/udev.conf r,
  /sys/devices/**/block/**/uevent r,

  # apport
  /etc/default/apport r,

  # XFCE
  /etc/xfce4/defaults.list r,

  # Lubuntu
  /etc/xdg/lubuntu/applications/defaults.list r,

  # papers specific
  /etc/ r,
  /etc/fstab r,
  /etc/texmf/ r,
  /etc/texmf/** r,
  /etc/xpdf/* r,
  owner @{HOME}/.config/papers/   rw,
  owner @{HOME}/.config/papers/** rwkl,

  /usr/bin/gs-esp ixr,
  /usr/bin/mktexpk Cx -> sanitized_helper,
  /usr/bin/mktextfm Cx -> sanitized_helper,
  /usr/bin/dvipdfm Cx -> sanitized_helper,
  /usr/bin/dvipdfmx Cx -> sanitized_helper,

  # gio-launch-desktop was replaced by a very small shell script
  /{usr/,}bin/{dash,bash} ixr,
  # With older GLib we might still be on the fallback code path
  # (remove this after Debian 11 and Ubuntu 20.04)
  /usr/lib/*/glib-2.0/gio-launch-desktop ixr,

  # supported archivers
  /{usr/,}bin/gzip ixr,
  /{usr/,}bin/bzip2 ixr,
  /usr/bin/unrar* ixr,
  /usr/bin/unzip ixr,
  /usr/bin/7zr ixr,
  /usr/lib/p7zip/7zr ixr,
  /usr/bin/7za ixr,
  /usr/lib/p7zip/7za ixr,
  /usr/bin/zipnote ixr,
  /{usr/,}bin/tar ixr,
  /usr/bin/xz ixr,

  # allow read access to anything in /usr/share, for plugins and input methods
  /usr/local/share/** r,
  /usr/share/** r,
  /usr/lib/ghostscript/** mr,
  /var/lib/ghostscript/** r,
  /var/lib/texmf/{,**} r,

  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
  # read for all supported file formats
  /**.[aA][iI]         r,
  /**.[bB][mM][pP]     r,
  /**.[dD][jJ][vV][uU] r,
  /**.[dD][vV][iI]     r,
  /**.[gG][iI][fF]     r,
  /**.[jJ][pP][gG]     r,
  /**.[jJ][pP][eE][gG] r,
  /**.[oO][dD][pP]     r,
  /**.[fFpP][dD][fF]   r,
  /**.[pP][nN][mM]     r,
  /**.[pP][nN][gG]     r,
  /**.[pP][sS]         r,
  /**.[eE][pP][sS]     r,
  /**.[eE][pP][sS][fFiI23] r,
  /**.[tT][iI][fF]     r,
  /**.[tT][iI][fF][fF] r,
  /**.[xX][pP][mM]     r,
  /**.[gG][zZ]         r,
  /**.[bB][zZ]2        r,
  /**.[cC][bB][rRzZ7]  r,
  /**.[xX][zZ]         r,

  # Use abstractions/private-files instead of abstractions/private-files-strict
  # and add the sensitive files manually to work around LP: #451422. The goal
  # is to disallow access to the .mozilla folder in general, but to allow
  # access to the Cache directory, which the browser may tell papers to open
  # from directly.

  include <abstractions/private-files>
  audit deny @{HOME}/.gnupg/{,**} mrwkl,
  audit deny @{HOME}/.ssh/{,**} mrwkl,
  audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
  audit deny @{HOME}/.gnome2/ w,
  audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
  audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
  audit deny @{HOME}/.pki/{,nssdb/} w,
  audit deny @{HOME}/.pki/nssdb/{,**} wl,

  audit deny @{HOME}/.mozilla/{,**/} w,
  audit deny @{HOME}/.mozilla/*/*/* mrwkl,
  audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
  audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
  audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
  audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,

  audit deny @{HOME}/.config/ w,
  audit deny @{HOME}/.config/chromium/{,**} mrwkl,
  audit deny @{HOME}/.config/evolution/{,**} mrwkl,
  audit deny @{HOME}/.evolution/{,**} mrwkl,
  audit deny @{HOME}/.kde/{,share/,share/apps/} w,
  audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
  audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
  audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
  audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
  audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,

  # When LP: #451422 is fixed, change the above to simply be:
  ##include <abstractions/private-files-strict>
  #owner @{HOME}/.mozilla/**/*Cache/* r,

  # Site-specific additions and overrides. See local/README for details.
  include <local/usr.bin.papers>