[apparmor] [PATCH] apparmor-profiles: updates for evolution on Ubuntu
Jamie Strandboge
jamie at canonical.com
Fri Jul 15 22:00:45 UTC 2011
Attached is a patch for usr.bin.evolution on Ubuntu 11.04 and 11.10 that
achieves the following:
- allow owner read of @{PROC}/*/fd/, which is needed for addressbook
manipulation
- explicitly deny some noisy files in /tmp
- allow gedit as a helper (for text file attachments). This uses a very
strict child profile
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
------------------------------------------------------------
revno: 69
committer: Jamie Strandboge <jamie at canonical.com>
branch nick: apparmor-profiles
timestamp: Fri 2011-07-15 16:20:18 -0500
message:
usr.bin.evolution (ubuntu natty and oneiric):
- allow owner read of @{PROC}/*/fd/, which is needed for addressbook
manipulation
- explicitly deny some noisy files in /tmp
- allow gedit as a helper (for text file attachments). This uses a very strict
child profile
diff:
=== modified file 'ubuntu/11.04/usr.bin.evolution'
--- ubuntu/11.04/usr.bin.evolution 2011-02-16 20:42:24 +0000
+++ ubuntu/11.04/usr.bin.evolution 2011-07-15 21:20:18 +0000
@@ -22,13 +22,17 @@
/ r,
deny /boot/{vmlinuz,initrd}* r,
/etc/timezone r,
- deny @{PROC}/*/fd/ r, # investigate
+ owner @{PROC}/*/fd/ r, # needed for addressbook manipulation
/usr/include/python2.7/pyconfig.h r,
/usr/share/evolution-data-server-*/** r,
/usr/share/evolution/** r,
/usr/share/gtkhtml-*/** r,
/usr/bin/evolution mrix,
+ # Noisy when searching /tmp for file attachments
+ deny /tmp/.X0-lock r,
+ deny /tmp/.pkapi_xpk r,
+
# Helper applications
/usr/lib/evolution/*/killev Cx -> killev,
/usr/lib/evolution/*/evolution-backup Cx -> backup,
@@ -36,6 +40,7 @@
/usr/bin/evince PUx,
/usr/bin/seahorse-tool ix,
/usr/share/seahorse-plugins/** r,
+ /usr/bin/gedit Cx -> gedit,
owner @{HOME}/.gnome2_private/Evolution rw,
owner @{HOME}/.camel_certs/ rw,
@@ -64,6 +69,7 @@
# Possibly in abstractions?
owner @{HOME}/.goutputstream-* rw,
owner @{HOME}/.thumbnails/** r,
+ /usr/share/gnome/applications/mimeinfo.cache r,
owner @{HOME}/.local/share/gvfs-metadata/home* r,
@@ -148,4 +154,38 @@
owner @{HOME}/evolution.dir* rw,
owner @{HOME}/.local/share/evolution/backup-restore-gconf.xml* rw,
}
+
+ profile gedit {
+ #include <abstractions/gnome>
+ #include <abstractions/enchant>
+ #include <abstractions/ibus>
+ #include <abstractions/private-files-strict>
+
+ /usr/bin/gedit r,
+
+ /etc/passwd r,
+ deny /etc/nsswitch.conf r,
+ deny /tmp/.X0-lock r,
+
+ /sys/devices/**/block/**/uevent r,
+ /dev/.udev/db/* r,
+ /etc/udev/udev.conf r,
+ /var/lib/dbus/machine-id r,
+ @{PROC}/[0-9]*/mountinfo r,
+
+ /usr/share/gedit-2/ r,
+ /usr/share/gedit-2/** r,
+ /usr/share/gtksourceview-2.0/ r,
+ /usr/share/gtksourceview-2.0/** r,
+
+ owner @{HOME}/.cache/evolution/tmp/** r,
+ owner @{HOME}/.local/share/gvfs-metadata/ r,
+ owner @{HOME}/.local/share/gvfs-metadata/** r,
+ owner @{HOME}/.gnome2/accels/gedit rw,
+ owner @{HOME}/.gnome2/gedit/ r,
+ owner @{HOME}/.gnome2/gedit/** rw,
+
+ # allow writes here
+ owner @{HOME}/Downloads/** rw,
+ }
}
=== modified file 'ubuntu/11.10/usr.bin.evolution'
--- ubuntu/11.10/usr.bin.evolution 2011-07-14 13:58:27 +0000
+++ ubuntu/11.10/usr.bin.evolution 2011-07-15 21:20:18 +0000
@@ -22,13 +22,17 @@
/ r,
deny /boot/{vmlinuz,initrd}* r,
/etc/timezone r,
- deny @{PROC}/*/fd/ r, # investigate
+ owner @{PROC}/*/fd/ r, # needed for addressbook manipulation
/usr/include/python2.7/pyconfig.h r,
/usr/share/evolution-data-server-*/** r,
/usr/share/evolution/** r,
/usr/share/gtkhtml-*/** r,
/usr/bin/evolution mrix,
+ # Noisy when searching /tmp for file attachments
+ deny /tmp/.X0-lock r,
+ deny /tmp/.pkapi_xpk r,
+
# Helper applications
/usr/lib/evolution/*/killev Cx -> killev,
/usr/lib/evolution/*/evolution-backup Cx -> backup,
@@ -36,6 +40,7 @@
/usr/bin/evince PUx,
/usr/bin/seahorse-tool ix,
/usr/share/seahorse-plugins/** r,
+ /usr/bin/gedit Cx -> gedit,
owner @{HOME}/.gnome2_private/Evolution rw,
owner @{HOME}/.camel_certs/ rw,
@@ -148,4 +153,38 @@
owner @{HOME}/evolution.dir* rw,
owner @{HOME}/.local/share/evolution/backup-restore-gconf.xml* rw,
}
+
+ profile gedit {
+ #include <abstractions/gnome>
+ #include <abstractions/enchant>
+ #include <abstractions/ibus>
+ #include <abstractions/private-files-strict>
+
+ /usr/bin/gedit r,
+
+ /etc/passwd r,
+ deny /etc/nsswitch.conf r,
+ deny /tmp/.X0-lock r,
+
+ /sys/devices/**/block/**/uevent r,
+ /dev/.udev/db/* r,
+ /etc/udev/udev.conf r,
+ /var/lib/dbus/machine-id r,
+ @{PROC}/[0-9]*/mountinfo r,
+
+ /usr/share/gedit-2/ r,
+ /usr/share/gedit-2/** r,
+ /usr/share/gtksourceview-2.0/ r,
+ /usr/share/gtksourceview-2.0/** r,
+
+ owner @{HOME}/.cache/evolution/tmp/** r,
+ owner @{HOME}/.local/share/gvfs-metadata/ r,
+ owner @{HOME}/.local/share/gvfs-metadata/** r,
+ owner @{HOME}/.gnome2/accels/gedit rw,
+ owner @{HOME}/.gnome2/gedit/ r,
+ owner @{HOME}/.gnome2/gedit/** rw,
+
+ # allow writes here
+ owner @{HOME}/Downloads/** rw,
+ }
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110715/6307b3bc/attachment.pgp>
More information about the AppArmor
mailing list