Raúl Vidal has proposed merging lp:~raulvior-bcn/apparmor/apparmor-quiterss
into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
Related bugs:
Bug #1667963 in apparmor (Ubuntu): "QuiteRSS AppArmor profile"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1667963
For more details, see:
https://code.launchpad.net/~raulvior-bcn/apparmor/apparmor-quiterss/+merge/331610
Solves lp:1667963.
--
Your team AppArmor Developers is requested to review the proposed merge of
lp:~raulvior-bcn/apparmor/apparmor-quiterss into lp:apparmor.
=== added file 'profiles/apparmor/profiles/extras/usr.bin.quiterss'
--- profiles/apparmor/profiles/extras/usr.bin.quiterss 1970-01-01 00:00:00 +0000
+++ profiles/apparmor/profiles/extras/usr.bin.quiterss 2017-09-30 00:33:50 +0000
@@ -0,0 +1,157 @@
+# vim:syntax=apparmor
+#include <tunables/global>
+
+/usr/bin/quiterss {
+ #include <abstractions/base>
+ #include <abstractions/audio>
+ #include <abstractions/dbus-strict>
+ #include <abstractions/dbus-session-strict>
+ #include <abstractions/dbus-accessibility-strict>
+ #include <abstractions/dconf>
+ #include <abstractions/fonts>
+ #include <abstractions/gnome>
+ #include <abstractions/ubuntu-helpers>
+ #include <abstractions/ubuntu-browsers.d/ubuntu-integration>
+ #include <abstractions/gstreamer>
+ #include <abstractions/ibus>
+ #include <abstractions/nameservice>
+ #include <abstractions/openssl>
+ #include <abstractions/ubuntu-unity7-base>
+ #include <abstractions/ubuntu-unity7-launcher>
+
+ #Needed to read /proc/@{pid}/exe of indicator-application-service
+ #QuiteRss checks executable path before displaying image on notification area,
+ #otherwise notification item remains blank.
+ ptrace (trace) peer=unconfined, # Allows reading /proc/pid/exe. Capability DAC_OVERRIDE did not work
+
+ /bin/dash mrix,
+ /usr/bin/xdg-open Cxr -> sanitized_helper, #Needed for opening links in external browser
+ /dev/ r,
+ /run/udev/data/c* r,
+ /run/udev/data/+drm:card* r,
+ deny /sys/bus/ r,
+ deny /sys/class/ r,
+ deny /sys/class/drm/ r,
+ deny /sys/devices/system/node/ r,
+ deny /sys/devices/system/node/node[0-9]*/meminfo r,
+ deny /sys/devices/system/cpu/ r,
+ owner /tmp/qt-trayicon-* rw,
+ owner /tmp/qtsingleapp-quiter-* w,
+ owner /tmp/qtsingleapp-quiter-*-lockfile rw,
+ /usr/bin/quiterss mr,
+ /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
+ /usr/share/glib-2.0/schemas/gschemas.compiled r,
+ /usr/share/quiterss/** r,
+ owner @{HOME}/.ICEauthority r,
+ owner @{HOME}/.Xauthority r,
+ owner @{HOME}/.cache/QuiteRss/QuiteRss/ r,
+ owner @{HOME}/.cache/QuiteRss/QuiteRss/** rw,
+ owner @{HOME}/.cache/gstreamer-1.0/registry.x86_64.bin* rw,
+ deny owner @{HOME}/.macromedia/Flash_Player/** rw, #Do not load Flash Player
+ owner @{HOME}/.config/QuiteRss/** rw,
+ owner @{HOME}/.local/share/QuiteRss/**/ r,
+ owner @{HOME}/.local/share/QuiteRss/QuiteRss/** rw,
+ owner @{HOME}/.local/share/icons/ r,
+ owner @{HOME}/.local/share/icons/** r,
+ owner @{HOME}/.config/QtProject.conf r,
+ owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rw,
+ owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rw,
+
+ owner @{PROC}/@{pid}/cmdline r,
+ owner @{PROC}/@{pid}/status r,
+ owner @{PROC}/@{pid}/exe r,
+
+ /usr/lib/@{multiarch}/libproxy/[0-9]*/modules/*.so mr,
+ /usr/lib/@{multiarch}/libproxy/[0-9]*/pxgsettings Cxr -> pxgsettings,
+ profile pxgsettings {
+ #include <abstractions/gnome>
+ #include <abstractions/dconf>
+ #include <abstractions/dbus-session-strict>
+ /usr/share/glib-*/schemas/** r,
+ /usr/local/share/glib-*/schemas/** r,
+ /usr/lib/@{multiarch}/libproxy/[0-9]*/pxgsettings ixmr,
+ owner @{HOME}/.config/dconf/user r,
+ owner /run/user/*/dconf/ w,
+ owner /run/user/*/dconf/user rw,
+ }
+
+
+ dbus (send)
+ bus=session
+ path=/org/gtk/vfs/mounttracker
+ interface=org.gtk.vfs.MountTracker
+ member=(ListMountableInfo),
+
+# NetworkManager
+
+ dbus (send)
+ bus=system
+ path=/org/freedesktop/NetworkManager{,/ActiveConnection/*,/Devices/*,/Settings,/Settings/*}
+ interface=org.freedesktop{.DBus.Properties,.NetworkManager{,.Settings,.Settings.Connection}}
+ member={GetAll,GetDevices,ListConnections,GetSettings}
+ peer=(name=org.freedesktop.NetworkManager),
+
+ dbus (send)
+ bus=system
+ path=/
+ interface=org.ofono.Manager
+ member=(GetModems)
+ peer=(name=org.ofono),
+
+# Unity Global Menu
+
+ dbus (send)
+ bus=session
+ path=/MenuBar{,/*}
+ interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
+ member={LayoutUpdated,ItemsPropertiesUpdated,GetAll,LayoutUpdated,ItemsPropertiesUpdated}
+ peer=(name=org.freedesktop.DBus),
+
+ dbus (receive)
+ bus=session
+ path=/MenuBar{,/*}
+ interface=org.freedesktop.DBus.Properties
+ member=(GetAll),
+
+# Notification area
+ dbus (send)
+ bus=session
+ path=/org/freedesktop/DBus
+ interface=org.freedesktop.DBus
+ member={RequestName,GetConnectionUnixProcessID,ReleaseName}
+ peer=(name=org.freedesktop.DBus),
+
+
+ dbus (send)
+ bus=session
+ path=/org/gnome/GConf/{Server,Database/*}
+ interface=org.gnome.GConf.{Server,Database}
+ member={GetDefaultDatabase,LookupExtended}
+ peer=(name=org.gnome.GConf),
+
+ dbus (send)
+ bus=session
+ path=/StatusNotifierWatcher
+ interface=org.{freedesktop.DBus.{Introspectable,Properties},kde.StatusNotifierWatcher}
+ member={Introspect,Get,RegisterStatusNotifierItem}
+ peer=(name=org.kde.StatusNotifierWatcher),
+
+
+ dbus (bind)
+ bus=session
+ name=org.kde.StatusNotifierItem-@{pid}-[0-9]*,
+
+ dbus (send)
+ bus=session
+ path=/StatusNotifierItem
+ interface=org.kde.StatusNotifierItem
+ member={NewIcon,NewToolTip}
+ peer=(name=org.freedesktop.DBus),
+
+ dbus (receive)
+ bus=session
+ path=/StatusNotifierItem
+ interface=org.freedesktop.DBus.Properties
+ member=(GetAll),
+
+}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
