[apparmor] Some profiles
"Артём Н."
artiom14 at yandex.ru
Mon Mar 11 17:12:57 UTC 2013
I can't found profiles for some programs, which I use.
I use Debian OS and make profiles for it, but I hope, if they will be included
in ubuntu packages, one time they will migrate from ubuntu to Debian. :-)
And I have some questions, for example: can I allow access to the file, if I
deny it earlier?
Dict:
# vim:syntax=apparmor
# Last Modified: Sun Mar 10 20:19:24 2013
# Author: Artiom N. <artiom14 at yandex.ru>
#include <tunables/global>
/usr/sbin/dictd {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setuid,
capability setgid,
/etc/dictd/** mr,
/etc/group mr,
/usr/share/dictd/** mr,
/usr/sbin/dictd mr,
/var/lib/dictd/** mrk,
owner /var/run/dictd.pid mrwk,
owner /run/dictd.pid mrwk,
}
DNSCrypt:
# Last Modified: Fri Mar 8 15:24:34 2013
#include <tunables/global>
/usr/sbin/dnscrypt-proxy {
#include <abstractions/base>
capability sys_resource,
capability dac_override,
capability setgid,
capability setuid,
capability sys_chroot,
capability net_bind_service,
capability net_admin,
network inet udp,
/etc/nsswitch.conf r,
/etc/passwd r,
/usr/sbin/dnscrypt-proxy mr,
/var/lib/dnscrypt rwk,
}
Fix for the usr/sbin/unbound:
/{,var/}run/unbound.pid rw,
+ /run/unbound.pid rw,
My profile for the firefox, I think it's work correctly (now it includes some
trash):
# Last Modified: Fri Mar 8 16:32:14 2013
#include <tunables/global>
/usr/lib/xulrunner-*/xulrunner {
#include <abstractions/base>
/bin/* Pixr,
/usr/bin/* Pixr,
/usr/lib/xulrunner-*/run-mozilla.sh rCx,
profile /usr/lib/xulrunner-*/run-mozilla.sh {
#include <abstractions/base>
/bin/* Pixr,
/usr/bin/* Pixr,
/usr/lib/xulrunner-*/* rpx,
}
}
# Last Modified: Fri Mar 8 19:12:37 2013
#include <tunables/global>
#/usr/lib/iceweasel/firefox-bin {
/usr/lib/xulrunner-*/xulrunner-stub {
#include <abstractions/ubuntu-browsers.d/productivity>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-browsers.d/kde>
# #include <abstractions/ubuntu-browsers.d/text-editors>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration-xul>
#include <abstractions/ubuntu-browsers.d/multimedia>
#include <abstractions/ubuntu-browsers.d/other>
#include <abstractions/ubuntu-browsers.d/user-files>
#include <abstractions/ubuntu-helpers>
#include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-browsers.d/browsers-user-paths>
#include <abstractions/gnome>
capability sys_nice,
capability sys_ptrace,
/bin/kmod rix,
@{PROC}/*/status r,
@{PROC}/driver/nvidia/params r,
@{PROC}/modules r,
/sys/devices/system/cpu/present r,
/lib/@{multiarch}/libm-*.so* mr,
# Helpers
/usr/bin/xdg-open ixr,
/usr/bin/gnome-open ixr,
/usr/bin/gvfs-open ixr,
/etc/iceweasel*/** r,
/etc/xul-ext/** r,
/etc/xulrunner{,-[0-9]*}/** r,
/etc/mime.types r,
/etc/timezone r,
/usr/{lib*,share}/** rm,
/usr/** rm,
/usr/lib/iceweasel/** r,
/usr/share/mozilla/** r,
/usr/lib/xulrunner-*/** r,
/usr/share/xul-ext/** r,
/usr/share/xul-ext/**/ rmpix,
/usr/share/misc/magic.mgc r,
/usr/lib/x86_64-linux-gnu/** rm,
# chromium mmaps all kinds of things for speed.
# firefox? may be...
# /etc/passwd m,
/usr/share/fonts/truetype/**/*.tt[cf] m,
/usr/share/fonts/**/*.pfb m,
/usr/share/mime/mime.cache m,
/usr/share/icons/**/*.cache m,
owner /{dev,run}/shm/pulse-shm* m,
owner @{HOME}/.local/share/mime/mime.cache m,
owner /tmp/** rwm,
owner @{HOME}/.mozilla/plugins/** mrix,
owner @{HOME}/.mozilla/firefox/** mrwkix,
# owner /var/tmp/** m,
/usr/bin/mozplugger-controller rix,
/etc/mozpluggerrc r,
/etc/vdpau_wrapper.cfg r,
# xul-runner configs.
/etc/gre.d/* r,
# for the flash plugin and others.
/usr/lib/xulrunner-10.0/plugin-container rmix,
}
Modified profile for Opera:
# Last Modified: Fri Mar 8 18:55:18 2013
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
/usr/bin/opera {
#include <abstractions/ubuntu-browsers.d/productivity>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-browsers.d/kde>
# #include <abstractions/ubuntu-browsers.d/text-editors>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration>
#include <abstractions/ubuntu-browsers.d/ubuntu-integration-xul>
#include <abstractions/ubuntu-browsers.d/multimedia>
#include <abstractions/ubuntu-browsers.d/other>
#include <abstractions/ubuntu-browsers.d/user-files>
# #include <abstractions/ubuntu-helpers>
# #include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-browsers.d/browsers-user-paths>
/etc/opera6rc rw,
/etc/opera6rc.fixed rw,
/opt/ r,
/sys/class/video4linux/ r,
/usr/bin/opera rpx,
/usr/lib/RealPlayer10/realplay rPx,
/usr/lib/RealPlayer10/realplay.bin rPx,
/usr/lib/** rm,
/usr/lib/opera/** rmix,
/usr/share/** rm,
/usr/share/opera/ rk,
/usr/share/opera/** rixk,
owner /var/tmp/** rmwlk,
owner /{,var/}run/.resmgr_socket w,
owner @{HOME}/.opera/ rwlk,
owner @{HOME}/.opera/** rwlk,
owner @{HOME}/.config/user-dirs.dirs rwk,
owner @{HOME}/.kde/share/apps/kfileplaces/bookmarks.xml rmw,
owner @{HOME}/OperaDownloads/* rw,
}
Abstractions:
abstractions/ubuntu-browsers.d/other:
# Author: Artiom N. <>
# vim:syntax=apparmor
#include <abstractions/audio>
#include <abstractions/fonts>
#include <abstractions/nameservice>
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
/usr/lib/flashplugin-nonfree rmpix,
/usr/local/share/applications/** r,
/usr/share/applications/** r,
owner @{HOME}/.macromedia/** rw,
# OpenGL cache.
@{HOME}/.nv/ rwmk,
@{HOME}/.nv/** rwmk,
# Allow access to documentation and other files the user may want to look
# at in /usr
/usr/{include,share,src}** r,
P.S.:
Sorry for my English. I know: it is not good. :-(
More information about the AppArmor
mailing list