diff --git a/profiles/abstractions/ubuntu-browsers.d/chromium-browser b/profiles/abstractions/ubuntu-browsers.d/chromium-browser deleted file mode 100644 index 95724f1a..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/chromium-browser +++ /dev/null @@ -1,26 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# Author: Jamie Strandboge - -# For site-specific adjustments, please see: -# /etc/apparmor.d/local/chromium-browser - -abi , - -include -include -include -include -include -include -include -include -include diff --git a/profiles/abstractions/ubuntu-browsers.d/java b/profiles/abstractions/ubuntu-browsers.d/java deleted file mode 100644 index ae93c755..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/java +++ /dev/null @@ -1,120 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # Java plugin - owner @{HOME}/.java/deployment/deployment.properties k, - /etc/java-*/ r, - /etc/java-*/** r, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java, - /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java, - /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java, - owner /{,var/}run/user/*/icedteaplugin-*/ rw, - owner /{,var/}run/user/*/icedteaplugin-*/** rwk, - - # Profile for the supported OpenJDK in Ubuntu. This doesn't require the - # unfortunate workarounds of the proprietary Javas, so have a separate - # profile. - profile browser_openjdk { - include - include - include - include - include - include - include - include - - network inet stream, - network inet6 stream, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/ipv6_route r, - - /etc/java-*/ r, - /etc/java-*/** r, - /etc/lsb-release r, - /etc/ssl/certs/java/* r, - /etc/timezone r, - /etc/writable/timezone r, - - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/filesystems r, - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/cpu/** r, - /usr/share/** r, - /var/lib/dbus/machine-id r, - - /usr/bin/env ix, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix, - /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix, - /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m, - - # Why would java need this? - deny /usr/bin/gconftool-2 x, - - owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw, - owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r, - owner @{HOME}/ r, - owner @{HOME}/** rwk, - } - - # Profile for commercial Javas. These need workarounds to work right (eg - # Sun's forcing of an executable stack (LP: #535247)). - profile browser_java { - include - include - include - include - include - include - include - include - - network inet stream, - network inet6 stream, - @{PROC}/@{pid}/net/if_inet6 r, - @{PROC}/@{pid}/net/ipv6_route r, - @{PROC}/loadavg r, - - /etc/debian_version r, - /etc/java-*/ r, - /etc/java-*/** r, - /etc/lsb-release r, - /etc/ssl/certs/java/* r, - /etc/timezone r, - /etc/writable/timezone r, - - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/filesystems r, - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/cpu/** r, - /usr/share/** r, - /var/lib/dbus/machine-id r, - - /usr/bin/env ix, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix, - /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m, - /usr/lib/j2*-ibm/jre/bin/java ix, - - # noisy, can't write here anyway - deny /etc/.java/ w, - deny /etc/.java/** w, - - deny /usr/bin/gconftool-2 x, - - owner @{HOME}/ r, - owner @{HOME}/** rwk, - - # These are seriously unfortunate, but required due to LP: #535247 - /etc/passwd m, - owner @{HOME}/.java/**/cache/** m, - owner /tmp/** m, - /usr/lib{,32,64}/jvm/**/*.jar mr, - /usr/share/fonts/** m, - } diff --git a/profiles/abstractions/ubuntu-browsers.d/kde b/profiles/abstractions/ubuntu-browsers.d/kde deleted file mode 100644 index bdac331e..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/kde +++ /dev/null @@ -1,9 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - include - /usr/bin/kde4-config Cx -> sanitized_helper, diff --git a/profiles/abstractions/ubuntu-browsers.d/mailto b/profiles/abstractions/ubuntu-browsers.d/mailto deleted file mode 100644 index 8d157098..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/mailto +++ /dev/null @@ -1,11 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # for mailto: - include - include - - # Terminals for using console applications. These abstractions should ideally - # have 'ix' to restrct access to what only firefox is allowed to do - include diff --git a/profiles/abstractions/ubuntu-browsers.d/multimedia b/profiles/abstractions/ubuntu-browsers.d/multimedia deleted file mode 100644 index f2eb23ef..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/multimedia +++ /dev/null @@ -1,51 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - include - - # Pulseaudio - /usr/bin/pulseaudio Pixr, - - # Image viewers - /usr/bin/eog Cxr -> sanitized_helper, - /usr/bin/gimp* Cxr -> sanitized_helper, - /usr/bin/shotwell Cxr -> sanitized_helper, - /usr/bin/digikam Cxr -> sanitized_helper, - /usr/bin/gwenview Cxr -> sanitized_helper, - - include - owner @{HOME}/.adobe/ w, - owner @{HOME}/.adobe/** rw, - owner @{HOME}/.macromedia/ w, - owner @{HOME}/.macromedia/** rw, - /opt/real/RealPlayer/mozilla/nphelix.so rm, - /usr/bin/lpstat Cxr -> sanitized_helper, - /usr/bin/lpr Cxr -> sanitized_helper, - - # Bittorrent clients - include - - # Archivers - /usr/bin/ark Cxr -> sanitized_helper, - /usr/bin/file-roller Cxr -> sanitized_helper, - /usr/bin/xarchiver Cxr -> sanitized_helper, - /usr/local/lib{,32,64}/*.so* mr, - - # News feed readers - include - - # If we allow the above, nvidia based systems will also need this - include - - # Virus scanners - /usr/bin/clamscan Cx -> sanitized_helper, - - # gxine (LP: #1057642) - /var/lib/xine/gxine.desktop r, - - # For WebRTC camera access (LP: #1665535) - /dev/video[0-9]* rw, diff --git a/profiles/abstractions/ubuntu-browsers.d/plugins-common b/profiles/abstractions/ubuntu-browsers.d/plugins-common deleted file mode 100644 index 5d93b262..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/plugins-common +++ /dev/null @@ -1,18 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # - # Plugins/helpers - # - @{PROC}/@{pid}/fd/ r, - /usr/lib/** rm, - /{,usr/}bin/bash ixr, - /{,usr/}bin/dash ixr, - /{,usr/}bin/grep ixr, - /{,usr/}bin/sed ixr, - /usr/bin/m4 ixr, - - # Since all the ubuntu-browsers.d abstractions need this, just include it - # here - include diff --git a/profiles/abstractions/ubuntu-browsers.d/productivity b/profiles/abstractions/ubuntu-browsers.d/productivity deleted file mode 100644 index 1fc67a84..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/productivity +++ /dev/null @@ -1,26 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - # Openoffice.org - /usr/bin/ooffice Cxr -> sanitized_helper, - /usr/bin/oocalc Cxr -> sanitized_helper, - /usr/bin/oodraw Cxr -> sanitized_helper, - /usr/bin/ooimpress Cxr -> sanitized_helper, - /usr/bin/oowriter Cxr -> sanitized_helper, - /usr/lib/openoffice/program/soffice Cxr -> sanitized_helper, - - # LibreOffice - /usr/bin/libreoffice Cxr -> sanitized_helper, - /usr/bin/localc Cxr -> sanitized_helper, - /usr/bin/lodraw Cxr -> sanitized_helper, - /usr/bin/loimpress Cxr -> sanitized_helper, - /usr/bin/lowriter Cxr -> sanitized_helper, - /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper, - - # PDFs - /usr/bin/evince Cxr -> sanitized_helper, - /usr/bin/okular Cxr -> sanitized_helper, diff --git a/profiles/abstractions/ubuntu-browsers.d/text-editors b/profiles/abstractions/ubuntu-browsers.d/text-editors deleted file mode 100644 index e04c6b80..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/text-editors +++ /dev/null @@ -1,16 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125]) - /usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper, - /usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper, - /usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper, - /usr/bin/gedit Cxr -> sanitized_helper, - /usr/bin/vim.gnome Cxr -> sanitized_helper, - /usr/bin/leafpad Cxr -> sanitized_helper, - /usr/bin/mousepad Cxr -> sanitized_helper, - /usr/bin/kate Cxr -> sanitized_helper, diff --git a/profiles/abstractions/ubuntu-browsers.d/ubuntu-integration b/profiles/abstractions/ubuntu-browsers.d/ubuntu-integration deleted file mode 100644 index cdbd47cd..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/ubuntu-integration +++ /dev/null @@ -1,37 +0,0 @@ -# vim:syntax=apparmor -# Users of this abstraction need to include the ubuntu-helpers abstraction -# in the toplevel profile. Eg: -# include - - abi , - - # Apport - /usr/bin/apport-bug Cx -> sanitized_helper, - - # Package installation - /usr/bin/apturl Cxr -> sanitized_helper, - /usr/share/software-center/software-center Cxr -> sanitized_helper, - - # Input Methods - /usr/bin/scim Cx -> sanitized_helper, - /usr/bin/scim-bridge Cx -> sanitized_helper, - - # File managers - /usr/bin/nautilus Cxr -> sanitized_helper, - /usr/bin/{t,T}hunar Cxr -> sanitized_helper, - /usr/bin/dolphin Cxr -> sanitized_helper, - - # Themes - /usr/bin/gnome-appearance-properties Cxr -> sanitized_helper, - - # Kubuntu - /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper, - - # Exo-aware applications - include - - # unity webapps integration. Could go in its own abstraction - owner /run/user/*/dconf/user rw, - owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk, - /usr/bin/debconf-communicate Cxr -> sanitized_helper, - owner @{HOME}/.config/libaccounts-glib/accounts.db rk, diff --git a/profiles/abstractions/ubuntu-browsers.d/ubuntu-integration-xul b/profiles/abstractions/ubuntu-browsers.d/ubuntu-integration-xul deleted file mode 100644 index c6a8eedd..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/ubuntu-integration-xul +++ /dev/null @@ -1,8 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # firefox-notify - include - /usr/bin/python2.[4567] ix, - /usr/share/xul-ext/notify/**/download_complete_notify.py ix, diff --git a/profiles/abstractions/ubuntu-browsers.d/user-files b/profiles/abstractions/ubuntu-browsers.d/user-files deleted file mode 100644 index e2965f01..00000000 --- a/profiles/abstractions/ubuntu-browsers.d/user-files +++ /dev/null @@ -1,30 +0,0 @@ -# vim:syntax=apparmor - - abi , - - # Allow read to all files user has DAC access to and write access to all - # files owned by the user in $HOME. - @{HOME}/ r, - @{HOME}/** r, - owner @{HOME}/** w, - - # Do not allow read and/or write to particularly sensitive/problematic files - include - audit deny @{HOME}/.ssh/{,**} mrwkl, - audit deny @{HOME}/.gnome2_private/{,**} mrwkl, - audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, - audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, - - # Comment this out if using gpg plugin/addons - audit deny @{HOME}/.gnupg/{,**} mrwkl, - - # Allow read to all files user has DAC access to and write for files the user - # owns on removable media and filesystems. - /media/** r, - /mnt/** r, - /srv/** r, - /net/** r, - owner /media/** w, - owner /mnt/** w, - owner /srv/** w, - owner /net/** w,