I can't found profiles for some programs, which I use. I use Debian OS and make profiles for it, but I hope, if they will be included in ubuntu packages, one time they will migrate from ubuntu to Debian. :-)
And I have some questions, for example: can I allow access to the file, if I deny it earlier? Dict: # vim:syntax=apparmor # Last Modified: Sun Mar 10 20:19:24 2013 # Author: Artiom N. <[email protected]> #include <tunables/global> /usr/sbin/dictd { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setuid, capability setgid, /etc/dictd/** mr, /etc/group mr, /usr/share/dictd/** mr, /usr/sbin/dictd mr, /var/lib/dictd/** mrk, owner /var/run/dictd.pid mrwk, owner /run/dictd.pid mrwk, } DNSCrypt: # Last Modified: Fri Mar 8 15:24:34 2013 #include <tunables/global> /usr/sbin/dnscrypt-proxy { #include <abstractions/base> capability sys_resource, capability dac_override, capability setgid, capability setuid, capability sys_chroot, capability net_bind_service, capability net_admin, network inet udp, /etc/nsswitch.conf r, /etc/passwd r, /usr/sbin/dnscrypt-proxy mr, /var/lib/dnscrypt rwk, } Fix for the usr/sbin/unbound: /{,var/}run/unbound.pid rw, + /run/unbound.pid rw, My profile for the firefox, I think it's work correctly (now it includes some trash): # Last Modified: Fri Mar 8 16:32:14 2013 #include <tunables/global> /usr/lib/xulrunner-*/xulrunner { #include <abstractions/base> /bin/* Pixr, /usr/bin/* Pixr, /usr/lib/xulrunner-*/run-mozilla.sh rCx, profile /usr/lib/xulrunner-*/run-mozilla.sh { #include <abstractions/base> /bin/* Pixr, /usr/bin/* Pixr, /usr/lib/xulrunner-*/* rpx, } } # Last Modified: Fri Mar 8 19:12:37 2013 #include <tunables/global> #/usr/lib/iceweasel/firefox-bin { /usr/lib/xulrunner-*/xulrunner-stub { #include <abstractions/ubuntu-browsers.d/productivity> #include <abstractions/ubuntu-browsers.d/java> #include <abstractions/ubuntu-browsers.d/kde> # #include <abstractions/ubuntu-browsers.d/text-editors> #include <abstractions/ubuntu-browsers.d/ubuntu-integration> #include <abstractions/ubuntu-browsers.d/ubuntu-integration-xul> #include <abstractions/ubuntu-browsers.d/multimedia> #include <abstractions/ubuntu-browsers.d/other> #include <abstractions/ubuntu-browsers.d/user-files> #include <abstractions/ubuntu-helpers> #include <abstractions/ubuntu-browsers> #include <abstractions/ubuntu-browsers.d/browsers-user-paths> #include <abstractions/gnome> capability sys_nice, capability sys_ptrace, /bin/kmod rix, @{PROC}/*/status r, @{PROC}/driver/nvidia/params r, @{PROC}/modules r, /sys/devices/system/cpu/present r, /lib/@{multiarch}/libm-*.so* mr, # Helpers /usr/bin/xdg-open ixr, /usr/bin/gnome-open ixr, /usr/bin/gvfs-open ixr, /etc/iceweasel*/** r, /etc/xul-ext/** r, /etc/xulrunner{,-[0-9]*}/** r, /etc/mime.types r, /etc/timezone r, /usr/{lib*,share}/** rm, /usr/** rm, /usr/lib/iceweasel/** r, /usr/share/mozilla/** r, /usr/lib/xulrunner-*/** r, /usr/share/xul-ext/** r, /usr/share/xul-ext/**/ rmpix, /usr/share/misc/magic.mgc r, /usr/lib/x86_64-linux-gnu/** rm, # chromium mmaps all kinds of things for speed. # firefox? may be... # /etc/passwd m, /usr/share/fonts/truetype/**/*.tt[cf] m, /usr/share/fonts/**/*.pfb m, /usr/share/mime/mime.cache m, /usr/share/icons/**/*.cache m, owner /{dev,run}/shm/pulse-shm* m, owner @{HOME}/.local/share/mime/mime.cache m, owner /tmp/** rwm, owner @{HOME}/.mozilla/plugins/** mrix, owner @{HOME}/.mozilla/firefox/** mrwkix, # owner /var/tmp/** m, /usr/bin/mozplugger-controller rix, /etc/mozpluggerrc r, /etc/vdpau_wrapper.cfg r, # xul-runner configs. /etc/gre.d/* r, # for the flash plugin and others. /usr/lib/xulrunner-10.0/plugin-container rmix, } Modified profile for Opera: # Last Modified: Fri Mar 8 18:55:18 2013 # ------------------------------------------------------------------ # # Copyright (C) 2002-2005 Novell/SUSE # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # ------------------------------------------------------------------ #include <tunables/global> /usr/bin/opera { #include <abstractions/ubuntu-browsers.d/productivity> #include <abstractions/ubuntu-browsers.d/java> #include <abstractions/ubuntu-browsers.d/kde> # #include <abstractions/ubuntu-browsers.d/text-editors> #include <abstractions/ubuntu-browsers.d/ubuntu-integration> #include <abstractions/ubuntu-browsers.d/ubuntu-integration-xul> #include <abstractions/ubuntu-browsers.d/multimedia> #include <abstractions/ubuntu-browsers.d/other> #include <abstractions/ubuntu-browsers.d/user-files> # #include <abstractions/ubuntu-helpers> # #include <abstractions/ubuntu-browsers> #include <abstractions/ubuntu-browsers.d/browsers-user-paths> /etc/opera6rc rw, /etc/opera6rc.fixed rw, /opt/ r, /sys/class/video4linux/ r, /usr/bin/opera rpx, /usr/lib/RealPlayer10/realplay rPx, /usr/lib/RealPlayer10/realplay.bin rPx, /usr/lib/** rm, /usr/lib/opera/** rmix, /usr/share/** rm, /usr/share/opera/ rk, /usr/share/opera/** rixk, owner /var/tmp/** rmwlk, owner /{,var/}run/.resmgr_socket w, owner @{HOME}/.opera/ rwlk, owner @{HOME}/.opera/** rwlk, owner @{HOME}/.config/user-dirs.dirs rwk, owner @{HOME}/.kde/share/apps/kfileplaces/bookmarks.xml rmw, owner @{HOME}/OperaDownloads/* rw, } Abstractions: abstractions/ubuntu-browsers.d/other: # Author: Artiom N. <> # vim:syntax=apparmor #include <abstractions/audio> #include <abstractions/fonts> #include <abstractions/nameservice> network inet stream, network inet6 stream, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, /usr/lib/flashplugin-nonfree rmpix, /usr/local/share/applications/** r, /usr/share/applications/** r, owner @{HOME}/.macromedia/** rw, # OpenGL cache. @{HOME}/.nv/ rwmk, @{HOME}/.nv/** rwmk, # Allow access to documentation and other files the user may want to look # at in /usr /usr/{include,share,src}** r, P.S.: Sorry for my English. I know: it is not good. :-( -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
