On 03/10/2014 08:34 AM, [email protected] wrote:
> From: intrigeri <[email protected]>
>
> Thanks a lot to Simon Deziel <[email protected]> for working on this
> with me.
So this is looking pretty good to me, I have even installed it and fired up
pidgin on trusty
I got rejects for
[ 4563.864233] type=1400 audit(1395773475.248:552): apparmor="DENIED"
operation="open" profile="/usr/bin/pidgin"
name="/home/jj/.local/share/applications/wine/" pid=4958 comm="gvfs-open"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
which has me wondering what its doing poke at wine, I was thinking of
adding a deny for that, but I'd like to here what you think first
and
[ 350.085941] type=1400 audit(1395769265.052:129): apparmor="DENIED"
operation="ptrace" profile="/usr/bin/pidgin" pid=3057 comm="pidgin"
target=642240A40288FFFF642240A40288FFFF10C440A40288FFFF10C440A40288FFFF20C440A40288FFFF20C440A40288FFFF4206
the ptrace one is showing a bug in the trusty kernel at least for the
target name so I'd say ignore it at the moment
> ---
> ubuntu/14.04/usr.bin.pidgin | 120
> +++++++++++++++++++++-----------------------
> 1 file changed, 58 insertions(+), 62 deletions(-)
>
> diff --git a/ubuntu/14.04/usr.bin.pidgin b/ubuntu/14.04/usr.bin.pidgin
> index 5fc462c..16f50bb 100644
> --- a/ubuntu/14.04/usr.bin.pidgin
> +++ b/ubuntu/14.04/usr.bin.pidgin
> @@ -1,76 +1,72 @@
> -#
> -# AppArmor Pidgin profile for Ubuntu 9.04 Jaunty
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of version 2 of the GNU General Public
> -# License published by the Free Software Foundation.
> -#
> +# vim:syntax=apparmor
>
> #include <tunables/global>
> +
> /usr/bin/pidgin {
> - #include <abstractions/audio>
> - #include <abstractions/aspell>
> - #include <abstractions/bash>
> - #include <abstractions/consoles>
> - #include <abstractions/dbus>
> - #include <abstractions/gnome>
> - #include <abstractions/nameservice>
> - #include <abstractions/launchpad-integration>
> - #include <abstractions/user-download>
> + #include <abstractions/audio>
> + #include <abstractions/base>
> + #include <abstractions/bash>
> + #include <abstractions/dbus>
> + #include <abstractions/dbus-session>
> + #include <abstractions/enchant>
> + #include <abstractions/gnome>
> + #include <abstractions/ibus>
> + #include <abstractions/launchpad-integration>
> + #include <abstractions/nameservice>
> + #include <abstractions/private-files-strict>
> + #include <abstractions/ssl_certs>
> + #include <abstractions/ubuntu-browsers>
> + #include <abstractions/ubuntu-helpers>
> + #include <abstractions/user-download>
>
> - capability sys_ptrace,
> + deny capability sys_ptrace,
>
> - deny @{HOME}/.bash* rw,
> - deny @{HOME}/.cshrc rw,
> - deny @{HOME}/.profile rw,
> - deny @{HOME}/.ssh/* rw,
> - deny @{HOME}/.zshrc rw,
> + owner @{HOME}/.gstreamer*/ rw,
> + owner @{HOME}/.gstreamer*/** rw,
> + owner @{HOME}/.purple/ rw,
> + owner @{HOME}/.purple/** rwk,
> + owner @{HOME}/.{cache,config}/dconf/user rw,
> + owner @{HOME}/.config/indicators/ rw,
> + owner @{HOME}/.config/indicators/** rw,
> + owner @{HOME}/.local/share/applications/ r,
> + owner /{,var/}run/user/[0-9]*/dconf/user rwk,
>
> - owner @{HOME}/.config/enchant/ rw,
> - owner @{HOME}/.config/enchant/* rwk,
> - owner @{HOME}/.local/share/icons/ r,
> - owner @{HOME}/.local/share/mime/* r,
> - owner @{HOME}/.gnome2/nautilus-sendto/** rw,
> - owner @{HOME}/.gstreamer*/ rw,
> - owner @{HOME}/.gstreamer*/** rw,
> - owner @{HOME}/.pulse/ rw,
> - owner @{HOME}/.pulse/** rw,
> - owner @{HOME}/.pulse-cookie rwk,
> - owner @{HOME}/.purple/ rw,
> - owner @{HOME}/.purple/** rwk,
> + /bin/dash rix,
> + /bin/which rix,
>
> - /bin/dash rix,
> + # NB: the preferred browser and proxy settings must be configured
> + # in the GNOME preferences: this profile does not allow running
> + # the corresponding external configuration applications.
> + /usr/bin/gconftool-2 rPix,
> + /usr/bin/gnome-open rmix,
> + /usr/bin/gsettings rix,
> + /usr/bin/gvfs-open rmix,
> + /usr/bin/pidgin r,
> + /usr/bin/xdg-open rmix,
>
> - /{dev,run}/shm/ r,
> - /{dev,run}/shm/* rw,
> + /usr/share/gnome/applications/ r,
> + /usr/share/glib-2.0/schemas/gschemas.compiled r,
>
> - /etc/ r,
> - /etc/pulse/client.conf r,
> - /etc/ssl/certs/ r,
> - /etc/ssl/certs/ssl-cert-snakeoil.pem r,
> + /usr/lib/frei0r-1/*.so rm,
> + /usr/lib/@{multiarch}/libvisual-*/**.so rm,
> + /usr/lib/pidgin/*.so rm,
> + /usr/lib/purple*/*.so rm,
>
> - owner /tmp/orbit-*/* w,
> - owner /tmp/pulse-*/* w,
> + /usr/share/purple/ca-certs/ r,
> + /usr/share/purple/ca-certs/** r,
> + /usr/share/tcltk/** r,
> + /usr/share/themes/ r,
>
> - /usr/bin/gconftool-2 rix,
> - /usr/bin/gnome-default-applications-properties ix,
> - /usr/bin/gnome-network-preferences ix,
> - /usr/bin/gnome-open rmix,
> - /usr/bin/pidgin r,
> - /usr/bin/xdg-open rmix,
> + owner @{PROC}/[0-9]*/auxv r,
> + owner @{PROC}/[0-9]*/fd/ r,
>
> - /usr/lib/ r,
> - /usr/lib/firefox-*/firefox.sh Px,
> - /usr/lib/libvisual-*/**.so rm,
> - /usr/lib/pidgin/*.so rm,
> - /usr/lib/purple*/*.so rm,
> + # For sound notifications
> + owner /tmp/orcexec.* mr,
> + # ... if /tmp is mounted noexec
> + owner @{HOME}/orcexec.* mr,
> + owner /{,var/}run/user/[0-9]*/ r,
> + owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
>
> - /usr/share/ca-certificates/*/** r,
> - /usr/share/enchant/enchant.ordering r,
> - /usr/share/locale-langpack/** rm,
> - /usr/share/purple/ca-certs/ r,
> - /usr/share/purple/ca-certs/** r,
> - /usr/share/myspell/dicts/ r,
> - /usr/share/myspell/dicts/** r,
> - /usr/share/tcltk/** r,
> + # Site-specific additions and overrides. See local/README for details.
> + #include <local/usr.bin.pidgin>
> }
>
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
