intrigeri has proposed merging
~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into
apparmor-profiles:master.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
Supersedes
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332143
with additional rules needed on GNOME 3.26 / Linux 4.14-rc5.
--
Your team AppArmor Developers is requested to review the proposed merge of
~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into
apparmor-profiles:master.
diff --git a/ubuntu/17.10/abstractions/gstreamer b/ubuntu/17.10/abstractions/gstreamer
index ef8c3ef..893e672 100644
--- a/ubuntu/17.10/abstractions/gstreamer
+++ b/ubuntu/17.10/abstractions/gstreamer
@@ -4,12 +4,18 @@
/etc/udev/udev.conf r,
+ /dev/dri/ r,
+
# /dev/shm is a symlink to /run/shm on ubuntu
owner /{dev,run}/shm/shmfd-* rw,
+ /run/udev/data/c* r,
/run/udev/data/+pci:* r,
+ /run/udev/data/+usb* r,
- /sys/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent} r,
+ /sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/*/meminfo r,
owner /tmp/orcexec.* mrw,
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
diff --git a/ubuntu/17.10/abstractions/totem b/ubuntu/17.10/abstractions/totem
index e9c792c..67fe3cf 100644
--- a/ubuntu/17.10/abstractions/totem
+++ b/ubuntu/17.10/abstractions/totem
@@ -28,7 +28,7 @@
/usr/share/** r,
/{media,mnt,opt,srv}/** r,
- /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
+ /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner px -> gst_plugin_scanner,
owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
@@ -46,6 +46,7 @@
owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
owner @{HOME}/.local/share/gvfs-metadata/** r,
owner @{HOME}/.local/share/totem/ rwk,
+ owner @{HOME}/.local/share/tracker/data/tracker-store.journal rwk,
owner @{PROC}/@{pid}/status r,
diff --git a/ubuntu/17.10/gst_plugin_scanner b/ubuntu/17.10/gst_plugin_scanner
index d74d00e..bea6c32 100644
--- a/ubuntu/17.10/gst_plugin_scanner
+++ b/ubuntu/17.10/gst_plugin_scanner
@@ -7,6 +7,9 @@ profile gst_plugin_scanner {
#include <abstractions/gstreamer>
#include <abstractions/X>
+ # TODO: adjust when support finer-grained netlink rules
+ network netlink raw,
+
/dev/ r,
/dev/bus/usb/ r,
diff --git a/ubuntu/17.10/usr.bin.totem b/ubuntu/17.10/usr.bin.totem
index cc59717..49229a5 100644
--- a/ubuntu/17.10/usr.bin.totem
+++ b/ubuntu/17.10/usr.bin.totem
@@ -10,11 +10,14 @@
#include <abstractions/python>
#include <abstractions/totem>
+ signal (send) set=("kill") peer=unconfined,
+
# Maybe in an abstraction?
/usr/include/**/pyconfig.h r,
/usr/bin/totem r,
/usr/bin/totem-video-thumbnailer Pix,
+ /usr/bin/bwrap pux,
/usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
/dev/sr* r,
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
