[apparmor] Some Ubuntu click profiles for benchmarking
Jamie Strandboge
jamie at canonical.com
Fri Dec 20 20:34:08 UTC 2013
Hi!
With the parser improvements that Steve made recently and the differential
compression patch from John, we've been doing some performance benchmarking on
profiles we know about. I wanted to add some to this list. The attached profiles
are typical of profiles we might see in the Ubuntu AppStore and were generated with:
$ aa-easyprof -m <name>.json > <name>.profile
Here is the list:
* ubuntu_1.0_networking.profile-- typical ubuntu/1.0 SDK profile
* ubuntu_1.0_webapp.profile-- typical ubuntu/1.0 webapp profile (minus
location)
* ubuntu_1.1_all.profile-- pathological ubuntu/1.1 SDK profile (all
policy groups)
* ubuntu_1.1_webapp.profile-- future ubuntu/1.1 webapp profile (uses
preliminary oxide policy but also with location)
These were all generated with click-apparmor 0.1.13 and apparmor-easyprof-ubuntu
1.1.0.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ubuntu_1.0_networking.json
Type: application/json
Size: 435 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131220/a3cebf62/attachment-0004.json>
-------------- next part --------------
# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_ID_DBUS}="com_2eexample_2efoo_5fbar_5f0_2e1"
@{APP_PKGNAME}="com.example.foo_bar_0.1"
@{APP_VERSION}="0.1"
@{CLICK_DIR}="/opt/click.ubuntu.com"
profile "com.example.foo_bar_0.1" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
# Needed by native GL applications on Mir
owner /{,var/}run/user/*/mir_socket rw,
owner /tmp/mir_socket rw, # FIXME: LP: #1236912
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/graphics.d"
#
# DBus rules common for all apps
#
# Allow connecting to session bus and where to connect to services
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the session bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
# communications with any system services is mediated elsewhere). This does
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
/{,var/}run/dbus/system_bus_socket rw,
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the system bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Unity shell
dbus (send)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator),
dbus (receive)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="com.canonical.Shell.BottomBarVisibilityCommunicator",
# Unity HUD
dbus (send)
bus=session
path="/com/canonical/hud"
interface="org.freedesktop.DBus.Properties"
member="GetAll",
dbus (send)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="RegisterApplication",
dbus (receive, send)
bus=session
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*,
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Start",
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="End",
dbus (send)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Changed"
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member={DescribeAll,Activate},
dbus (send)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/context_*"
interface=org.gtk.Actions
member="DescribeAll",
dbus (receive)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="UpdatedQuery",
dbus (receive)
bus=session
interface="com.canonical.hud.Awareness"
member="CheckAwareness",
# on screen keyboard (OSK)
dbus (send)
bus=session
path="/org/maliit/server/address"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.maliit.server),
# URL dispatcher. All apps can call this since:
# a) the dispatched application is launched out of process and not
# controllable except via the specified URL
# b) the list of url types is strictly controlled
# c) the dispatched application will launch in the foreground over the
# confined app
dbus (send)
bus=session
path="/com/canonical/URLDispatcher"
interface="com.canonical.URLDispatcher"
member="DispatchURL",
# TODO: finetune this
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# Deny potentially dangerous access
deny dbus bus=session
path=/com/canonical/[Uu]nity/[Dd]ebug**,
deny dbus (send)
bus=session
interface="org.gnome.GConf.Server",
#
# end DBus rules common for all apps
#
# Explicitly deny dangerous access
audit deny /dev/input/** rw,
# FIXME: ought to go in a dbus abstraction, but dbus-session is too loose
/var/lib/dbus/machine-id r,
# subset of GNOME stuff
/{,custom/}usr/share/icons/** r,
/{,custom/}usr/share/themes/** r,
/custom/xdg/data/themes/** r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/*/index.theme rk,
# ibus read accesses
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.dirs r,
/usr/share/glib*/schemas/gschemas.compiled r,
# various /proc entries (be careful to not allow things that can be used to
# enumerate installed apps-- this will be easier once we have a PID kernel
# var in AppArmor)
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
# var could solve this
owner @{PROC}/[0-9]*/cmdline r,
# libhybris
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
/usr/lib/@{multiarch}/libhybris/*.so mr,
/system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
# LP: #1197124
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# Lttng tracing. Can safely deny. LP: #1260491
deny /{,var/}run/shm/lttng-ust-* r,
# TODO: investigate
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
/sys/kernel/debug/tracing/trace_marker w,
#
# thumbnailing helper
#
/usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
# FIXME: this leaks running process. AppArmor kernel var could solve this
owner @{PROC}/[0-9]*/attr/current r,
#
# apps may always use vibrations
#
/sys/class/timed_output/vibrator/enable rw,
/sys/devices/virtual/timed_output/vibrator/enable rw,
#
# qmlscene
#
/usr/share/qtchooser/ r,
/usr/share/qtchooser/** r,
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
#
# cordova-ubuntu
#
/usr/share/cordova-ubuntu*/ r,
/usr/share/cordova-ubuntu*/** r,
/usr/share/ubuntu-html5-theme/ r,
/usr/share/ubuntu-html5-theme/** r,
# Launching under upstart requires this
/usr/bin/qtchooser rmix,
/usr/bin/cordova-ubuntu* rmix,
# qmlscene webview
# TODO: investigate child profile
/usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
# GStreamer binary registry - hybris pulls this in for everything now, not
# just audio
owner @{HOME}/.gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
deny @{HOME}/orcexec* w,
/{,android/}system/etc/media_codecs.xml r,
/etc/wildmidi/wildmidi.cfg r,
# Don't allow plugins in webviews for now
deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
# cordova-ubuntu wants to runs lsb_release, which is a python program and we
# don't want to give access to that. cordova-ubuntu will fallback to
# examining /etc/lsb-release directly, which is ok. If needed, we can lift
# the denial and ship a profile for lsb_release and add a Pxr rule
deny /usr/bin/lsb_release rx,
/etc/ r,
/etc/lsb-release r,
#
# Application install dirs
#
# Click packages
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
# Packages shipped as debs have their install directory in /usr/share
/usr/share/@{APP_PKGNAME}/ r,
/usr/share/@{APP_PKGNAME}/** mrklix,
#
# Application writable dirs
#
# FIXME: LP: #1197060
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
# FIXME: LP: #1197056
owner @{HOME}/.local/share/cordova-ubuntu-2.8/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/** rwk,
# Allow writes to various (application-specific) XDG directories
owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
# No abstractions specified
# Rules specified via policy groups
# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/openssl>
# DownloadManager
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/
member=Introspect,
dbus (receive, send)
bus=session
interface=com.canonical.applications.Download{,er}Manager,
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/com/canonical/applications/download/**
member=Introspect,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.Download,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.GroupDownload,
# We want to explicitly deny access to NetworkManager because its DBus API
# gives away too much
deny dbus (receive, send)
bus=system
path=/org/freedesktop/NetworkManager,
# Do the same for ofono (LP: #1226844)
deny dbus (receive, send)
bus=system
interface="org.ofono.Manager",
# No read paths specified
# No write paths specified
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ubuntu_1.0_webapp.json
Type: application/json
Size: 469 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131220/a3cebf62/attachment-0005.json>
-------------- next part --------------
# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_ID_DBUS}="com_2eexample_2efoo_5fbar_5f0_2e1"
@{APP_PKGNAME}="com.example.foo_bar_0.1"
@{APP_VERSION}="0.1"
@{CLICK_DIR}="/opt/click.ubuntu.com"
profile "com.example.foo_bar_0.1" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
# Needed by native GL applications on Mir
owner /{,var/}run/user/*/mir_socket rw,
owner /tmp/mir_socket rw, # FIXME: LP: #1236912
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/graphics.d"
#
# DBus rules common for all apps
#
# Allow connecting to session bus and where to connect to services
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the session bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
# communications with any system services is mediated elsewhere). This does
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
/{,var/}run/dbus/system_bus_socket rw,
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the system bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Unity shell
dbus (send)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator),
dbus (receive)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="com.canonical.Shell.BottomBarVisibilityCommunicator",
# Unity HUD
dbus (send)
bus=session
path="/com/canonical/hud"
interface="org.freedesktop.DBus.Properties"
member="GetAll",
dbus (send)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="RegisterApplication",
dbus (receive, send)
bus=session
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*,
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Start",
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="End",
dbus (send)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Changed"
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member={DescribeAll,Activate},
dbus (send)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/context_*"
interface=org.gtk.Actions
member="DescribeAll",
dbus (receive)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="UpdatedQuery",
dbus (receive)
bus=session
interface="com.canonical.hud.Awareness"
member="CheckAwareness",
# on screen keyboard (OSK)
dbus (send)
bus=session
path="/org/maliit/server/address"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.maliit.server),
# URL dispatcher. All apps can call this since:
# a) the dispatched application is launched out of process and not
# controllable except via the specified URL
# b) the list of url types is strictly controlled
# c) the dispatched application will launch in the foreground over the
# confined app
dbus (send)
bus=session
path="/com/canonical/URLDispatcher"
interface="com.canonical.URLDispatcher"
member="DispatchURL",
# TODO: finetune this
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# Deny potentially dangerous access
deny dbus bus=session
path=/com/canonical/[Uu]nity/[Dd]ebug**,
deny dbus (send)
bus=session
interface="org.gnome.GConf.Server",
#
# end DBus rules common for all apps
#
# Explicitly deny dangerous access
audit deny /dev/input/** rw,
# FIXME: ought to go in a dbus abstraction, but dbus-session is too loose
/var/lib/dbus/machine-id r,
# subset of GNOME stuff
/{,custom/}usr/share/icons/** r,
/{,custom/}usr/share/themes/** r,
/custom/xdg/data/themes/** r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/*/index.theme rk,
# ibus read accesses
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.dirs r,
/usr/share/glib*/schemas/gschemas.compiled r,
# various /proc entries (be careful to not allow things that can be used to
# enumerate installed apps-- this will be easier once we have a PID kernel
# var in AppArmor)
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
# var could solve this
owner @{PROC}/[0-9]*/cmdline r,
# libhybris
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
/usr/lib/@{multiarch}/libhybris/*.so mr,
/system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
# LP: #1197124
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# Lttng tracing. Can safely deny. LP: #1260491
deny /{,var/}run/shm/lttng-ust-* r,
# TODO: investigate
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
/sys/kernel/debug/tracing/trace_marker w,
#
# thumbnailing helper
#
/usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
# FIXME: this leaks running process. AppArmor kernel var could solve this
owner @{PROC}/[0-9]*/attr/current r,
#
# apps may always use vibrations
#
/sys/class/timed_output/vibrator/enable rw,
/sys/devices/virtual/timed_output/vibrator/enable rw,
#
# qmlscene
#
/usr/share/qtchooser/ r,
/usr/share/qtchooser/** r,
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
#
# cordova-ubuntu
#
/usr/share/cordova-ubuntu*/ r,
/usr/share/cordova-ubuntu*/** r,
/usr/share/ubuntu-html5-theme/ r,
/usr/share/ubuntu-html5-theme/** r,
# Launching under upstart requires this
/usr/bin/qtchooser rmix,
/usr/bin/cordova-ubuntu* rmix,
# qmlscene webview
# TODO: investigate child profile
/usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
# GStreamer binary registry - hybris pulls this in for everything now, not
# just audio
owner @{HOME}/.gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
deny @{HOME}/orcexec* w,
/{,android/}system/etc/media_codecs.xml r,
/etc/wildmidi/wildmidi.cfg r,
# Don't allow plugins in webviews for now
deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
# cordova-ubuntu wants to runs lsb_release, which is a python program and we
# don't want to give access to that. cordova-ubuntu will fallback to
# examining /etc/lsb-release directly, which is ok. If needed, we can lift
# the denial and ship a profile for lsb_release and add a Pxr rule
deny /usr/bin/lsb_release rx,
/etc/ r,
/etc/lsb-release r,
#
# Application install dirs
#
# Click packages
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
# Packages shipped as debs have their install directory in /usr/share
/usr/share/@{APP_PKGNAME}/ r,
/usr/share/@{APP_PKGNAME}/** mrklix,
#
# Application writable dirs
#
# FIXME: LP: #1197060
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
# FIXME: LP: #1197056
owner @{HOME}/.local/share/cordova-ubuntu-2.8/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/** rwk,
# Allow writes to various (application-specific) XDG directories
owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
# No abstractions specified
# Rules specified via policy groups
# Description: Can play audio
# Usage: common
/dev/ashmem rw,
# Don't include the audio abstraction and enforce use of pulse instead
/etc/pulse/ r,
/etc/pulse/* r,
/{run,dev}/shm/ r, # could allow enumerating apps
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
owner @{HOME}/.pulse-cookie rk,
owner @{HOME}/.pulse/ r,
owner @{HOME}/.pulse/* rk,
owner /{,var/}run/user/*/pulse/ r,
owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise
owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be
# used by confined apps
owner @{HOME}/.config/pulse/cookie rk,
# Force the use of pulseaudio and silence any denials for ALSA
deny /usr/share/alsa/alsa.conf r,
deny /dev/snd/ r,
deny /dev/snd/* r,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/audio.d"
# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/openssl>
# DownloadManager
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/
member=Introspect,
dbus (receive, send)
bus=session
interface=com.canonical.applications.Download{,er}Manager,
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/com/canonical/applications/download/**
member=Introspect,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.Download,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.GroupDownload,
# We want to explicitly deny access to NetworkManager because its DBus API
# gives away too much
deny dbus (receive, send)
bus=system
path=/org/freedesktop/NetworkManager,
# Do the same for ofono (LP: #1226844)
deny dbus (receive, send)
bus=system
interface="org.ofono.Manager",
# Description: Can play video
# Usage: common
# android-based access. Remove once move away from binder (LP: #1197134)
/dev/binder rw,
/dev/ashmem rw,
# gstreamer - should these be application specific?
owner @{HOME}/.gstreamer*/registry.*.bin* r,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/video.d"
# No read paths specified
# No write paths specified
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ubuntu_1.1_all.json
Type: application/json
Size: 978 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131220/a3cebf62/attachment-0006.json>
-------------- next part --------------
# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_ID_DBUS}="com_2eexample_2efoo_5fbar_5f0_2e1"
@{APP_PKGNAME}="com.example.foo_bar_0.1"
@{APP_VERSION}="0.1"
@{CLICK_DIR}="/opt/click.ubuntu.com"
profile "com.example.foo_bar_0.1" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
# Needed by native GL applications on Mir
owner /{,var/}run/user/*/mir_socket rw,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/graphics.d"
#
# DBus rules common for all apps
#
# Allow connecting to session bus and where to connect to services
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the session bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
# communications with any system services is mediated elsewhere). This does
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
/{,var/}run/dbus/system_bus_socket rw,
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the system bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Unity shell
dbus (send)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator),
dbus (receive)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="com.canonical.Shell.BottomBarVisibilityCommunicator",
# Unity HUD
dbus (send)
bus=session
path="/com/canonical/hud"
interface="org.freedesktop.DBus.Properties"
member="GetAll",
dbus (send)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="RegisterApplication",
dbus (receive, send)
bus=session
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*,
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Start",
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="End",
dbus (send)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Changed"
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member={DescribeAll,Activate},
dbus (send)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/context_*"
interface=org.gtk.Actions
member="DescribeAll",
dbus (receive)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="UpdatedQuery",
dbus (receive)
bus=session
interface="com.canonical.hud.Awareness"
member="CheckAwareness",
# on screen keyboard (OSK)
dbus (send)
bus=session
path="/org/maliit/server/address"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.maliit.server),
# URL dispatcher. All apps can call this since:
# a) the dispatched application is launched out of process and not
# controllable except via the specified URL
# b) the list of url types is strictly controlled
# c) the dispatched application will launch in the foreground over the
# confined app
dbus (send)
bus=session
path="/com/canonical/URLDispatcher"
interface="com.canonical.URLDispatcher"
member="DispatchURL",
# TODO: finetune this
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# Deny potentially dangerous access
deny dbus bus=session
path=/com/canonical/[Uu]nity/[Dd]ebug**,
deny dbus (send)
bus=session
interface="org.gnome.GConf.Server",
#
# end DBus rules common for all apps
#
# Explicitly deny dangerous access
audit deny /dev/input/** rw,
# FIXME: ought to go in a dbus abstraction, but dbus-session is too loose
/var/lib/dbus/machine-id r,
# subset of GNOME stuff
/{,custom/}usr/share/icons/** r,
/{,custom/}usr/share/themes/** r,
/custom/xdg/data/themes/** r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/*/index.theme rk,
# ibus read accesses
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.dirs r,
/usr/share/glib*/schemas/gschemas.compiled r,
# various /proc entries (be careful to not allow things that can be used to
# enumerate installed apps-- this will be easier once we have a PID kernel
# var in AppArmor)
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
# var could solve this
owner @{PROC}/[0-9]*/cmdline r,
# libhybris
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
/usr/lib/@{multiarch}/libhybris/*.so mr,
/system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
# LP: #1197124
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# Lttng tracing. Can safely deny. LP: #1260491
deny /{,var/}run/shm/lttng-ust-* r,
# TODO: investigate
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
/sys/kernel/debug/tracing/trace_marker w,
#
# thumbnailing helper
#
/usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
# FIXME: this leaks running process. AppArmor kernel var could solve this
owner @{PROC}/[0-9]*/attr/current r,
#
# apps may always use vibrations
#
/sys/class/timed_output/vibrator/enable rw,
/sys/devices/virtual/timed_output/vibrator/enable rw,
#
# qmlscene
#
/usr/share/qtchooser/ r,
/usr/share/qtchooser/** r,
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
#
# cordova-ubuntu
#
/usr/share/cordova-ubuntu*/ r,
/usr/share/cordova-ubuntu*/** r,
/usr/share/ubuntu-html5-theme/ r,
/usr/share/ubuntu-html5-theme/** r,
# Launching under upstart requires this
/usr/bin/qtchooser rmix,
/usr/bin/cordova-ubuntu* rmix,
# qmlscene webview
# TODO: investigate child profile
/usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
# GStreamer binary registry - hybris pulls this in for everything now, not
# just audio
owner @{HOME}/.gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
deny @{HOME}/orcexec* w,
/{,android/}system/etc/media_codecs.xml r,
/etc/wildmidi/wildmidi.cfg r,
# Don't allow plugins in webviews for now
deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
# cordova-ubuntu wants to runs lsb_release, which is a python program and we
# don't want to give access to that. cordova-ubuntu will fallback to
# examining /etc/lsb-release directly, which is ok. If needed, we can lift
# the denial and ship a profile for lsb_release and add a Pxr rule
deny /usr/bin/lsb_release rx,
/etc/ r,
/etc/lsb-release r,
#
# Application install dirs
#
# Click packages
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
# Packages shipped as debs have their install directory in /usr/share
/usr/share/@{APP_PKGNAME}/ r,
/usr/share/@{APP_PKGNAME}/** mrklix,
#
# Application writable dirs
#
# FIXME: LP: #1197060
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
# FIXME: LP: #1197056
owner @{HOME}/.local/share/cordova-ubuntu-2.8/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/** rwk,
# Allow writes to various (application-specific) XDG directories
owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
# No abstractions specified
# Rules specified via policy groups
# Description: Can use Online Accounts. This policy group is reserved for
# vetted applications only in this version of the policy. Once LP: #1230091
# is fixed, this can be moved out of reserved status.
# Usage: reserved
/usr/share/accounts/** r,
dbus (receive, send)
bus=session
path=/com/google/code/AccountsSSO/SingleSignOn
interface=com.google.code.AccountsSSO.SingleSignOn.AuthService,
dbus (receive, send)
bus=session
interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession,
dbus (receive, send)
bus=session
interface=com.google.code.AccountsSSO.SingleSignOn.Identity,
dbus (receive, send)
bus=session
interface=com.ubuntu.OnlineAccountsUi,
dbus (receive)
bus=session
interface=com.google.code.AccountsSSO.Accounts,
# p2p support uses a named unix socket
owner /{,var/}run/user/*/signond/socket w,
# read access to accounts.db is ok
owner @{HOME}/.config/libaccounts-glib/accounts.db* rk,
# FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
# ro. This can go away once an access() LSM hook is implemented. For
# now, just silence the denial.
deny @{HOME}/.config/libaccounts-glib/accounts.db* w,
# Description: Can play audio
# Usage: common
/dev/ashmem rw,
# Don't include the audio abstraction and enforce use of pulse instead
/etc/pulse/ r,
/etc/pulse/* r,
/{run,dev}/shm/ r, # could allow enumerating apps
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
owner @{HOME}/.pulse-cookie rk,
owner @{HOME}/.pulse/ r,
owner @{HOME}/.pulse/* rk,
owner /{,var/}run/user/*/pulse/ r,
owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise
owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be
# used by confined apps
owner @{HOME}/.config/pulse/cookie rk,
# Force the use of pulseaudio and silence any denials for ALSA
deny /usr/share/alsa/alsa.conf r,
deny /dev/snd/ r,
deny /dev/snd/* r,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/audio.d"
# Description: Can access the calendar. This policy group is reserved for
# vetted applications only in this version of the policy. Once LP: #1227824
# is fixed, this can be moved out of reserved status.
# Usage: reserved
# The gsettings entries for EDS aren't required for the calendar, so
# just silence these
# TODO: remove when we have gsettings mediation
deny /{,var/}run/user/*/dconf/user r,
deny /{,var/}run/user/*/dconf/user w,
deny @{HOME}/.config/dconf/user r,
dbus (receive, send)
bus=session
path=/org/gnome/evolution/dataserver/SourceManager,
dbus (receive, send)
bus=session
path=/org/gnome/evolution/dataserver/CalendarFactory,
dbus (receive, send)
bus=session
path=/org/gnome/evolution/dataserver/Calendar/**,
dbus (receive, send)
bus=session
path=/org/gnome/evolution/dataserver/CalendarView/**,
# Description: Can access the camera(s)
# Usage: common
# android-based access. Remove once move away from binder (LP: #1197134)
/dev/binder rw,
/dev/ashmem rw,
/android/system/media/audio/ui/camera_click.ogg r,
# converged desktop
#include <abstractions/video>
/dev/ r, # TODO: maybe allow this?
/dev/video* rw,
/sys/devices/**/video4linux/video** r,
/sys/devices/**/modalias r,
/sys/devices/**/speed r,
# These disclose the device to the app
deny /sys/devices/virtual/dmi/id/* r,
# Description: Can access coarse network connectivity information
# Usage: common
# APIs: QtSystemInfo::NetworkInfo, QHostAddress and QNetworkInterface
/sys/class/net/ r,
/sys/devices/**/net/*/carrier r,
@{PROC}/[0-9]*/net/wireless r,
# Most apps that need connectivity will also have networking, but just in case
# only connectivity is needed, add these.
network stream,
network udp,
# Don't allow the MAC. Perhaps this will be allowed in another policy group
#/sys/devices/**/net/*/address r, # MAC
# QtSystemInfo::NetworkInfo throws an error on systems with ofono. These
# are the DBus calls that allow QtSystemInfo::NetworkInfo to work, but reveal
# too much information. For now, leave the rules commented out and when
# LP: #1226844 is fixed, we can see how to proceed
#
#dbus (send)
# bus=system
# path=/
# interface=org.ofono.Manager
# member=GetModems
# peer=(name=org.ofono),
#dbus (send)
# bus=system
# path=/ril_*
# interface=org.ofono.NetworkRegistration
# member=GetProperties
# peer=(name=org.ofono),
#dbus (receive)
# bus=system
# path=/ril_*
# interface=org.ofono.NetworkRegistration
# member=PropertyChanged
# peer=(name=org.freedesktop.DBus),
# Description: Can access contacts. This policy group is reserved for vetted
# applications only in this version of the policy. Once LP: #1227821 is
# fixed, this can be moved out of reserved status.
# Usage: reserved
dbus (receive, send)
bus=session
path=/com/canonical/pim/AddressBook,
dbus (receive, send)
bus=session
path=/com/canonical/pim/AddressBookView/**,
# FIXME: LP: #1227818. Clients shouldn't access Telepathy directly. Remove
# these when LP: #1227818 is fixed in address-book-app.
dbus (send)
bus=session
path=/org/freedesktop/Telepathy/AccountManager
peer=(name=org.freedesktop.Telepathy.AccountManager),
dbus (receive)
bus=session
path=/org/freedesktop/Telepathy/AccountManager,
dbus (send)
bus=session
path=/org/freedesktop/Telepathy/ChannelDispatcher
peer=(name=org.freedesktop.Telepathy.ChannelDispatcher),
dbus (receive)
bus=session
path=/org/freedesktop/Telepathy/ChannelDispatcher,
dbus (send)
bus=session
path=/org/freedesktop/Telepathy/Account/**
member=Get{,All}
peer=(name=org.freedesktop.Telepathy.AccountManager),
dbus (receive)
bus=session
path=/org/freedesktop/Telepathy/Account/**
member=Get{,All},
# Description: Can request/import data from other applications
# Usage: common
dbus (send)
bus=session
interface=org.freedesktop.DBus
path=/org/freedesktop/DBus
member=RequestName,
dbus (bind)
bus=session
name=com.ubuntu.content.handler.@{APP_ID_DBUS},
dbus (receive)
bus=session
path=/com/ubuntu/content/handler/@{APP_ID_DBUS}
interface=com.ubuntu.content.dbus.Handler,
dbus (receive, send)
bus=session
interface=com.ubuntu.content.dbus.Transfer
path=/transfers/@{APP_ID_DBUS}/import/*,
dbus (receive, send)
bus=session
interface=com.ubuntu.content.dbus.Service,
# Description: Can provide/export data to other applications
# Usage: common
dbus (send)
bus=session
interface=org.freedesktop.DBus
path=/org/freedesktop/DBus
member=RequestName,
dbus (bind)
bus=session
name=com.ubuntu.content.handler.@{APP_ID_DBUS},
dbus (receive)
bus=session
path=/com/ubuntu/content/handler/@{APP_ID_DBUS}
interface=com.ubuntu.content.dbus.Handler,
dbus (receive, send)
bus=session
interface=com.ubuntu.content.dbus.Transfer
path=/transfers/@{APP_ID_DBUS}/export/*,
dbus (receive, send)
bus=session
interface=com.ubuntu.content.dbus.Service,
# Description: Can use Friends social network service. This policy group is
# reserved for vetted applications only in this version of the policy. Once
# LP: #1231737 is fixed, this can be moved out of reserved status.
# Usage: reserved
dbus (send)
path=/com/canonical/friends/Dispatcher
interface=org.freedesktop.DBus.Properties,
dbus (send)
path=/com/canonical/friends/Dispatcher
peer=(name=com.canonical.Friends.Dispatcher),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus (bind)
bus=session
name=com.canonical.Friends.Streams,
dbus (send)
bus=session
path=/com/canonical/dee/peer/com/canonical/Friends/Streams
interface=com.canonical.Dee.Peer
peer=(name=com.canonical.Friends.Streams),
dbus (receive)
bus=session
path=/com/canonical/dee/peer/com/canonical/Friends/Streams
interface=com.canonical.Dee.Peer,
dbus (send)
bus=session
path=/com/canonical/dee/model/com/canonical/Friends/Streams
interface=com.canonical.Dee.Model
peer=(name=com.canonical.Friends.Streams),
dbus (receive)
bus=session
path=/com/canonical/dee/model/com/canonical/Friends/Streams
interface=com.canonical.Dee.Model,
# Description: Can access the history-service. This policy group is reserved
# for vetted applications only in this version of the policy. A future
# version of the policy may move this out of reserved status.
# Usage: reserved
dbus (send)
bus=session
path=/com/canonical/HistoryService
peer=(name=com.canonical.HistoryService),
dbus (receive)
bus=session
path=/com/canonical/HistoryService,
dbus (send)
bus=session
path=/com/canonical/HistoryService/**
peer=(name=com.canonical.HistoryService),
dbus (receive)
bus=session
path=/com/canonical/HistoryService/**,
# Description: Can access Location
# Usage: common
# TODO: when implementation for LP: #1223371 and LP: #1223211 is finalized,
# pick one of these
# session bus (not currently used-- maybe with trust-store)
dbus (send)
bus=session
path="/com/ubuntu/location/Service"
interface="com.ubuntu.location.Service"
peer=(name="com.ubuntu.location.Service"),
dbus (receive)
bus=session
path="/com/ubuntu/location/Service"
interface="com.ubuntu.location.Service",
dbus (receive, send)
bus=session
interface="com.ubuntu.location.Service.Session",
# system bus
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path="/com/ubuntu/location/Service"
interface="com.ubuntu.location.Service"
peer=(name="com.ubuntu.location.Service"),
dbus (receive)
bus=system
path="/com/ubuntu/location/Service"
interface="com.ubuntu.location.Service",
dbus (receive, send)
bus=system
interface="com.ubuntu.location.Service.Session",
# Description: Can access the microphone
# Usage: common
# Don't include the audio abstraction and enforce use of pulse instead
/etc/pulse/ r,
/etc/pulse/* r,
/{run,dev}/shm/ r, # could allow enumerating apps
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
owner @{HOME}/.pulse-cookie rk,
owner @{HOME}/.pulse/ r,
owner @{HOME}/.pulse/* rk,
owner /{,var/}run/user/*/pulse/ r,
owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise
owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be
# used by confined apps
owner @{HOME}/.config/pulse/cookie rk,
# gstreamer - should these be application specific?
owner @{HOME}/.gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
deny @{HOME}/orcexec* w,
# Force the use of pulseaudio and silence any denials for ALSA
deny /usr/share/alsa/alsa.conf r,
deny /dev/snd/ r,
deny /dev/snd/* r,
# Description: Can read and write to music files. This policy group is
# reserved for certain applications, such as music players. Developers
# should typically use the content_exchange policy group and API to
# access music files instead.
# Usage: reserved
owner @{HOME}/Music/ r,
owner @{HOME}/Music/** rwk,
# Description: Can read all music files. This policy group is reserved
# for certain applications, such as music players. Developers should
# typically use the content_exchange policy group and API to access
# music files instead.
# Usage: reserved
owner @{HOME}/Music/ r,
owner @{HOME}/Music/** r,
# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/openssl>
# DownloadManager
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/
member=Introspect,
dbus (receive, send)
bus=session
interface=com.canonical.applications.Download{,er}Manager,
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/com/canonical/applications/download/**
member=Introspect,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.Download,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.GroupDownload,
# We want to explicitly deny access to NetworkManager because its DBus API
# gives away too much
deny dbus (receive, send)
bus=system
path=/org/freedesktop/NetworkManager,
# Do the same for ofono (LP: #1226844)
deny dbus (receive, send)
bus=system
interface="org.ofono.Manager",
# Description: Can read and write to picture files. This policy group is
# reserved for certain applications, such as gallery applications.
# Developers should typically use the content_exchange policy group and
# API to access picture files instead.
# Usage: reserved
owner @{HOME}/Pictures/ r,
owner @{HOME}/Pictures/** rwk,
# Description: Can read all picture files. This policy group is reserved
# for certain applications, such as gallery applications. Developers
# should typically use the content_exchange policy group and API to
# access picture files instead.
# Usage: reserved
owner @{HOME}/Pictures/ r,
owner @{HOME}/Pictures/** r,
# Description: Can access the sensors
# Usage: common
# android-based access. Remove once move away from audio flinger (LP: #1197134)
/dev/binder rw,
# Description: Can use UserMetrics to update the InfoGraphic
# Usage: common
dbus (send)
bus=system
path=/com/canonical/UserMetrics**
peer=(name=com.canonical.UserMetrics),
# Description: Can play video
# Usage: common
# android-based access. Remove once move away from binder (LP: #1197134)
/dev/binder rw,
/dev/ashmem rw,
# gstreamer - should these be application specific?
owner @{HOME}/.gstreamer*/registry.*.bin* r,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/video.d"
# Description: Can read and write to video files. This policy group is
# reserved for certain applications, such as video players. Developers
# should typically use the content_exchange policy group and API to
# access video files instead.
# Usage: reserved
owner @{HOME}/Videos/ r,
owner @{HOME}/Videos/** rwk,
# Description: Can read all video files. This policy group is reserved
# for certain applications, such as video players. Developers should
# typically use the content_exchange policy group and API to access
# video files instead.
# Usage: reserved
owner @{HOME}/Videos/ r,
owner @{HOME}/Videos/** r,
# Description: Can use the UbuntuWebview
# Usage: common
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
# child profile of this profile, then we'll use Cx here and Px in
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
# as standalone profiles and we would just Px/px to them, but this is not
# practical because oxide-renderer needs to access app-specific files
# and shm files (when 1260103 is fixed). For now, have a single helper
# profile for chrome-sandbox and oxide-renderer.
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cx -> oxide_helper,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cx -> oxide_helper,
/usr/lib/@{multiarch}/oxide-qt/* r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
# LP: #1260044
deny /usr/lib/@{multiarch}/qt5/bin/locales/ w,
# LP: #1260101
deny /run/user/[0-9]*/dconf/user rw,
deny owner @{HOME}/.config/dconf/user r,
# LP: #1260048
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/** rwk,
# LP: #
/sys/bus/pci/devices/ r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/sys/devices/pci[0-9]*/**/removable r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/pci[0-9]*/**/block/**/size r,
/etc/udev/udev.conf r,
# LP: #1260098
/tmp/ r,
/var/tmp/ r,
# LP: #1260103
owner /run/shm/.org.chromium.Chromium.* rwk,
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
# child profile of this profile, then we can use Cx here and Px in
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
# as standalone profiles and we would just Px/px to them, but this is not
# practical because oxide-renderer needs to access app-specific files
# and shm files (when 1260103 is fixed). For now, have a single helper
# profile for chrome-sandbox and oxide-renderer.
profile oxide_helper {
#
# Shared by chrome-sandbox and oxide-helper
#
#include <abstractions/base>
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
#
# chrome-sandbox specific
#
# Required for dropping into PID namespace. Keep in mind that until the
# process drops this capability it can escape confinement, but once it
# drops CAP_SYS_ADMIN we are ok.
capability sys_admin,
# All of these are for sanely dropping from root and chrooting
capability chown,
capability fsetid,
capability setgid,
capability setuid,
capability dac_override,
capability sys_chroot,
capability sys_ptrace,
# LP: #1260115
owner @{PROC}/[0-9]*/oom_adj w,
owner @{PROC}/[0-9]*/oom_score_adj w,
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer rmix,
#
# oxide-renderer specific
#
#include <abstractions/fonts>
@{PROC}/sys/kernel/shmmax r,
deny /etc/passwd r,
deny /tmp/ r,
deny /var/tmp/ r,
# LP: #1260103
/run/shm/.org.chromium.Chromium.* rwk,
# LP: #1260048
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/** rwk,
# LP: #1260044
deny /usr/lib/@{multiarch}/oxide-qt/locales/ w,
}
# No read paths specified
# No write paths specified
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ubuntu_1.1_webapp.json
Type: application/json
Size: 508 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131220/a3cebf62/attachment-0007.json>
-------------- next part --------------
# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_ID_DBUS}="com_2eexample_2efoo_5fbar_5f0_2e1"
@{APP_PKGNAME}="com.example.foo_bar_0.1"
@{APP_VERSION}="0.1"
@{CLICK_DIR}="/opt/click.ubuntu.com"
profile "com.example.foo_bar_0.1" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
# Needed by native GL applications on Mir
owner /{,var/}run/user/*/mir_socket rw,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/graphics.d"
#
# DBus rules common for all apps
#
# Allow connecting to session bus and where to connect to services
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the session bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
# communications with any system services is mediated elsewhere). This does
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
/{,var/}run/dbus/system_bus_socket rw,
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=Hello
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/{db,DB}us
interface=org.freedesktop.DBus
member={Add,Remove}Match
peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetNameOwner
peer=(name=org.freedesktop.DBus),
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=NameHasOwner
peer=(name=org.freedesktop.DBus),
# Allow starting services on the system bus (actual communications with
# the service are mediated elsewhere)
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=StartServiceByName
peer=(name=org.freedesktop.DBus),
# Unity shell
dbus (send)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator),
dbus (receive)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="com.canonical.Shell.BottomBarVisibilityCommunicator",
# Unity HUD
dbus (send)
bus=session
path="/com/canonical/hud"
interface="org.freedesktop.DBus.Properties"
member="GetAll",
dbus (send)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="RegisterApplication",
dbus (receive, send)
bus=session
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*,
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Start",
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="End",
dbus (send)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Changed"
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member={DescribeAll,Activate},
dbus (send)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus),
dbus (receive)
bus=session
path="/context_*"
interface=org.gtk.Actions
member="DescribeAll",
dbus (receive)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="UpdatedQuery",
dbus (receive)
bus=session
interface="com.canonical.hud.Awareness"
member="CheckAwareness",
# on screen keyboard (OSK)
dbus (send)
bus=session
path="/org/maliit/server/address"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.maliit.server),
# URL dispatcher. All apps can call this since:
# a) the dispatched application is launched out of process and not
# controllable except via the specified URL
# b) the list of url types is strictly controlled
# c) the dispatched application will launch in the foreground over the
# confined app
dbus (send)
bus=session
path="/com/canonical/URLDispatcher"
interface="com.canonical.URLDispatcher"
member="DispatchURL",
# TODO: finetune this
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# Deny potentially dangerous access
deny dbus bus=session
path=/com/canonical/[Uu]nity/[Dd]ebug**,
deny dbus (send)
bus=session
interface="org.gnome.GConf.Server",
#
# end DBus rules common for all apps
#
# Explicitly deny dangerous access
audit deny /dev/input/** rw,
# FIXME: ought to go in a dbus abstraction, but dbus-session is too loose
/var/lib/dbus/machine-id r,
# subset of GNOME stuff
/{,custom/}usr/share/icons/** r,
/{,custom/}usr/share/themes/** r,
/custom/xdg/data/themes/** r,
/etc/pango/* r,
/usr/lib{,32,64}/pango/** mr,
/usr/lib/@{multiarch}/pango/** mr,
/usr/share/icons/*/index.theme rk,
# ibus read accesses
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ r,
owner @{HOME}/.config/ibus/bus/* r,
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
# subset of freedesktop.org
/usr/share/mime/** r,
owner @{HOME}/.local/share/mime/** r,
owner @{HOME}/.config/user-dirs.dirs r,
/usr/share/glib*/schemas/gschemas.compiled r,
# various /proc entries (be careful to not allow things that can be used to
# enumerate installed apps-- this will be easier once we have a PID kernel
# var in AppArmor)
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
# var could solve this
owner @{PROC}/[0-9]*/cmdline r,
# libhybris
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
/usr/lib/@{multiarch}/libhybris/*.so mr,
/system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
# LP: #1197124
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# Lttng tracing. Can safely deny. LP: #1260491
deny /{,var/}run/shm/lttng-ust-* r,
# TODO: investigate
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
/sys/kernel/debug/tracing/trace_marker w,
#
# thumbnailing helper
#
/usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
# FIXME: this leaks running process. AppArmor kernel var could solve this
owner @{PROC}/[0-9]*/attr/current r,
#
# apps may always use vibrations
#
/sys/class/timed_output/vibrator/enable rw,
/sys/devices/virtual/timed_output/vibrator/enable rw,
#
# qmlscene
#
/usr/share/qtchooser/ r,
/usr/share/qtchooser/** r,
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
#
# cordova-ubuntu
#
/usr/share/cordova-ubuntu*/ r,
/usr/share/cordova-ubuntu*/** r,
/usr/share/ubuntu-html5-theme/ r,
/usr/share/ubuntu-html5-theme/** r,
# Launching under upstart requires this
/usr/bin/qtchooser rmix,
/usr/bin/cordova-ubuntu* rmix,
# qmlscene webview
# TODO: investigate child profile
/usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
# GStreamer binary registry - hybris pulls this in for everything now, not
# just audio
owner @{HOME}/.gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
deny @{HOME}/orcexec* w,
/{,android/}system/etc/media_codecs.xml r,
/etc/wildmidi/wildmidi.cfg r,
# Don't allow plugins in webviews for now
deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
# cordova-ubuntu wants to runs lsb_release, which is a python program and we
# don't want to give access to that. cordova-ubuntu will fallback to
# examining /etc/lsb-release directly, which is ok. If needed, we can lift
# the denial and ship a profile for lsb_release and add a Pxr rule
deny /usr/bin/lsb_release rx,
/etc/ r,
/etc/lsb-release r,
#
# Application install dirs
#
# Click packages
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
# Packages shipped as debs have their install directory in /usr/share
/usr/share/@{APP_PKGNAME}/ r,
/usr/share/@{APP_PKGNAME}/** mrklix,
#
# Application writable dirs
#
# FIXME: LP: #1197060
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
# FIXME: LP: #1197056
owner @{HOME}/.local/share/cordova-ubuntu-2.8/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/ rw,
owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/** rwk,
# Allow writes to various (application-specific) XDG directories
owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
# No abstractions specified
# Rules specified via policy groups
# Description: Can play audio
# Usage: common
/dev/ashmem rw,
# Don't include the audio abstraction and enforce use of pulse instead
/etc/pulse/ r,
/etc/pulse/* r,
/{run,dev}/shm/ r, # could allow enumerating apps
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
owner @{HOME}/.pulse-cookie rk,
owner @{HOME}/.pulse/ r,
owner @{HOME}/.pulse/* rk,
owner /{,var/}run/user/*/pulse/ r,
owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise
owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be
# used by confined apps
owner @{HOME}/.config/pulse/cookie rk,
# Force the use of pulseaudio and silence any denials for ALSA
deny /usr/share/alsa/alsa.conf r,
deny /dev/snd/ r,
deny /dev/snd/* r,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/audio.d"
# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/openssl>
# DownloadManager
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/
member=Introspect,
dbus (receive, send)
bus=session
interface=com.canonical.applications.Download{,er}Manager,
dbus (send)
bus=session
interface="org.freedesktop.DBus.Introspectable"
path=/com/canonical/applications/download/**
member=Introspect,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.Download,
dbus (receive, send)
bus=session
path=/com/canonical/applications/download/**
interface=com.canonical.applications.GroupDownload,
# We want to explicitly deny access to NetworkManager because its DBus API
# gives away too much
deny dbus (receive, send)
bus=system
path=/org/freedesktop/NetworkManager,
# Do the same for ofono (LP: #1226844)
deny dbus (receive, send)
bus=system
interface="org.ofono.Manager",
# Description: Can play video
# Usage: common
# android-based access. Remove once move away from binder (LP: #1197134)
/dev/binder rw,
/dev/ashmem rw,
# gstreamer - should these be application specific?
owner @{HOME}/.gstreamer*/registry.*.bin* r,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
deny @{HOME}/.gstreamer*/registry.*.bin* w,
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
deny @{HOME}/.gstreamer*/ w,
deny @{HOME}/.cache/gstreamer*/ w,
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
# locations are tried so silence the ones we won't permit anyway
deny /tmp/orcexec* w,
deny /{,var/}run/user/*/orcexec* w,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/video.d"
# Description: Can use the UbuntuWebview
# Usage: common
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
# child profile of this profile, then we'll use Cx here and Px in
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
# as standalone profiles and we would just Px/px to them, but this is not
# practical because oxide-renderer needs to access app-specific files
# and shm files (when 1260103 is fixed). For now, have a single helper
# profile for chrome-sandbox and oxide-renderer.
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cx -> oxide_helper,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cx -> oxide_helper,
/usr/lib/@{multiarch}/oxide-qt/* r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
# LP: #1260044
deny /usr/lib/@{multiarch}/qt5/bin/locales/ w,
# LP: #1260101
deny /run/user/[0-9]*/dconf/user rw,
deny owner @{HOME}/.config/dconf/user r,
# LP: #1260048
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/** rwk,
# LP: #
/sys/bus/pci/devices/ r,
/sys/devices/pci[0-9]*/**/class r,
/sys/devices/pci[0-9]*/**/device r,
/sys/devices/pci[0-9]*/**/irq r,
/sys/devices/pci[0-9]*/**/resource r,
/sys/devices/pci[0-9]*/**/vendor r,
/sys/devices/pci[0-9]*/**/removable r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/pci[0-9]*/**/block/**/size r,
/etc/udev/udev.conf r,
# LP: #1260098
/tmp/ r,
/var/tmp/ r,
# LP: #1260103
owner /run/shm/.org.chromium.Chromium.* rwk,
# LP: #1260090 - when this bug is fixed, oxide_renderer can become a
# child profile of this profile, then we can use Cx here and Px in
# chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
# as standalone profiles and we would just Px/px to them, but this is not
# practical because oxide-renderer needs to access app-specific files
# and shm files (when 1260103 is fixed). For now, have a single helper
# profile for chrome-sandbox and oxide-renderer.
profile oxide_helper {
#
# Shared by chrome-sandbox and oxide-helper
#
#include <abstractions/base>
@{PROC}/ r,
@{PROC}/[0-9]*/ r,
@{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
#
# chrome-sandbox specific
#
# Required for dropping into PID namespace. Keep in mind that until the
# process drops this capability it can escape confinement, but once it
# drops CAP_SYS_ADMIN we are ok.
capability sys_admin,
# All of these are for sanely dropping from root and chrooting
capability chown,
capability fsetid,
capability setgid,
capability setuid,
capability dac_override,
capability sys_chroot,
capability sys_ptrace,
# LP: #1260115
owner @{PROC}/[0-9]*/oom_adj w,
owner @{PROC}/[0-9]*/oom_score_adj w,
/usr/lib/@{multiarch}/oxide-qt/oxide-renderer rmix,
#
# oxide-renderer specific
#
#include <abstractions/fonts>
@{PROC}/sys/kernel/shmmax r,
deny /etc/passwd r,
deny /tmp/ r,
deny /var/tmp/ r,
# LP: #1260103
/run/shm/.org.chromium.Chromium.* rwk,
# LP: #1260048
owner @{HOME}/.pki/nssdb/ rw,
owner @{HOME}/.pki/nssdb/** rwk,
# LP: #1260044
deny /usr/lib/@{multiarch}/oxide-qt/locales/ w,
}
# No read paths specified
# No write paths specified
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131220/a3cebf62/attachment-0001.pgp>
More information about the AppArmor
mailing list