On 03/19/2013 02:37 PM, "Артём Н." wrote: > 19.03.2013 21:31, Seth Arnold пишет: >> On Tue, Mar 19, 2013 at 07:13:01PM +0400, "Артём Н." wrote: >>> Profile for the FatRat download manager. >>> I didn't test it carefully, but it works. >> >> Nice. I've got a few comments inline.. >> >>> ----- >>> # >>> # FatRat apparmor profile. >>> # >>> >>> # vim:syntax=apparmor >>> >>> # Last Modified: Sun Feb 17 10:43:47 2013 >>> # Author: Artiom N. <[email protected]> >>> >>> #include <tunables/global> >>> >>> /usr/bin/fatrat { >>> #include <abstractions/base> >>> #include <abstractions/nameservice> >>> #include <abstractions/fonts> >>> #include <abstractions/freedesktop.org> >>> #include <abstractions/kde> >>> #include <abstractions/gnome> >>> #include <abstractions/user-download> >>> >>> # Not needed. >>> # #include <abstractions/ubuntu-bittorrent-clients> >> >> It would probably be better to just remove lines that aren't needed. >> It's one thing to leave them in while making changing changes to someone >> else's profiles and discussing them. >> >>> # Paranoia. >>> #include <abstractions/private-files-strict> >>> >>> /usr/bin/fatrat mr, >>> >>> /usr/bin/xdg-open rmix, >>> /usr/lib/fatrat/** rmk, >>> /usr/share/fatrat/** rmk, >>> /usr/share/kde*/** rm, >>> /usr/share/lintian/overrides/fatrat-data r, >>> >>> owner @{PROC}/*/ r, >>> # owner @{PROC}/net/dev r, >>> # root, root >>> @{PROC}/*/net/dev r, >> >> Same here, I'd think remove both commented lines > Ok. At your discretion. > >>> /home/ r, >>> owner @{HOME}/.config/Dolezel/fatrat.conf rwk, >> Is 'Dolezel' unique to your configuration? Or common for the >> application? > I think, it not depends on the configuration: > http://fatrat.dolezel.info/ > :-) > >> >>> owner @{HOME}/.kde/share/config/kdebugrc r, >>> owner @{HOME}/.kde/share/config/kdeglobals rk, >>> owner @{HOME}/.kde/share/icons/** rk, >>> owner @{HOME}/.local/share/fatrat/ rwk, >>> owner @{HOME}/.local/share/fatrat/** rwmk, >>> >>> # Optional. >>> deny @{HOME}/Desktop/ rwmkl, >>> deny @{HOME}/Desktop/** rwmkl, >>> >>> } >>> ----- >>> >>> Also I've added @{TORRENT_CLIENT} in tunables/global and I've granted >>> permissions on execution it in browser's rules. >>> >>> tunables/global: >>> @{TORRENT_CLIENT}=/usr/bin/fatrat >> This is going to lead to trouble. What we have now is admittedly >> complex, but it is designed to avoid the user editing tunables/global >> directly -- once the user modifies the file, it'll be prompted about for >> upgrades for ever. >> That's why the current approach includes the other files, which users >> are encouraged to modify -- it'll be easier for them to accept/deny >> changes on upgrades in the future, or preseed settings at installation >> time. > Yes, I understand, that inclusion <abstractions/ubuntu-bittorrent-clients> is > more flexible, than setting variable. > But, I think this is a really complex and give more rights, than a program > needs. > Am I wrong?
You are not wrong. sanitized_helper is something we use in Ubuntu to
help us ship distribution profiles due to AppArmor's current lack of
comprehensive environment filtering (this is being worked on). I don't
think we should necessarily be promoting sanitized_helper's use, but we
also don't want [Uu]x in a profile.
>>> abstractions/ubuntu-browsers.d/other (file, included in browser's profiles):
>>> @{TORRENT_CLIENT} rPx,
>> This doesn't really play nicely with the existing
>> ubuntu-bittorrent-clients portion of policy, which gives torrent clients
>> the sanitized_helper near-unconfined-status. (Not that near-unconfined
>> torrent clients are a good idea; just a pragmatic idea. :)
> But I haven't found fatrat in ubuntu-bittorrent-clients and I didn't like
> sanitized_helper. :-)
> Why does torrent client need to run programs in /sbin or /usr/bin?
> Why is it not a good idea to make helper with more restrictions?
>
It is a great idea to make the helper run with more restrictions, but it
is difficult to do in a general purpose manner. I understand why you
went this route-- people can use any number of torrent clients and you'd
like to support that. For inclusion in the apparmor-profiles repository,
I think it is probably 'ok' to just use 'Pxr' with the recommended
bittorrent clients that upstream recommends, otherwise copy the list
from ubuntu-bittorrent-clients and use 'Pxr' for each instead of
sanitized_helper. There is precedence for this in
apparmor/profiles/extras and I think it would apply to the
apparmor-profiles repository.
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
