mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 06:27:49 +01:00
Remove some remaining duplicated files.
This commit is contained in:
parent
e9b8e62fcd
commit
cc243a3042
11 changed files with 0 additions and 352 deletions
|
@ -1,26 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
#
|
|
||||||
# Copyright (C) 2020 Canonical Ltd.
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or
|
|
||||||
# modify it under the terms of version 2 of the GNU General Public
|
|
||||||
# License published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# ------------------------------------------------------------------
|
|
||||||
# Author: Jamie Strandboge <jamie@canonical.com>
|
|
||||||
|
|
||||||
# For site-specific adjustments, please see:
|
|
||||||
# /etc/apparmor.d/local/chromium-browser
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <abstractions/ubuntu-browsers.d/plugins-common>
|
|
||||||
include <abstractions/ubuntu-browsers.d/mailto>
|
|
||||||
include <abstractions/ubuntu-browsers.d/multimedia>
|
|
||||||
include <abstractions/ubuntu-browsers.d/productivity>
|
|
||||||
include <abstractions/ubuntu-browsers.d/java>
|
|
||||||
include <abstractions/ubuntu-browsers.d/kde>
|
|
||||||
include <abstractions/ubuntu-browsers.d/text-editors>
|
|
||||||
include <abstractions/ubuntu-browsers.d/ubuntu-integration>
|
|
||||||
include <abstractions/ubuntu-browsers.d/user-files>
|
|
|
@ -1,120 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
# Java plugin
|
|
||||||
owner @{HOME}/.java/deployment/deployment.properties k,
|
|
||||||
/etc/java-*/ r,
|
|
||||||
/etc/java-*/** r,
|
|
||||||
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
|
|
||||||
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
|
|
||||||
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
|
|
||||||
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
|
|
||||||
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
|
|
||||||
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
|
|
||||||
/usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
|
|
||||||
owner /{,var/}run/user/*/icedteaplugin-*/ rw,
|
|
||||||
owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
|
|
||||||
|
|
||||||
# Profile for the supported OpenJDK in Ubuntu. This doesn't require the
|
|
||||||
# unfortunate workarounds of the proprietary Javas, so have a separate
|
|
||||||
# profile.
|
|
||||||
profile browser_openjdk {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/gnome>
|
|
||||||
include <abstractions/kde>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/ssl_certs>
|
|
||||||
include <abstractions/user-tmp>
|
|
||||||
include <abstractions/private-files-strict>
|
|
||||||
|
|
||||||
network inet stream,
|
|
||||||
network inet6 stream,
|
|
||||||
@{PROC}/@{pid}/net/if_inet6 r,
|
|
||||||
@{PROC}/@{pid}/net/ipv6_route r,
|
|
||||||
|
|
||||||
/etc/java-*/ r,
|
|
||||||
/etc/java-*/** r,
|
|
||||||
/etc/lsb-release r,
|
|
||||||
/etc/ssl/certs/java/* r,
|
|
||||||
/etc/timezone r,
|
|
||||||
/etc/writable/timezone r,
|
|
||||||
|
|
||||||
@{PROC}/@{pid}/ r,
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
|
||||||
@{PROC}/filesystems r,
|
|
||||||
@{sys}/devices/system/cpu/ r,
|
|
||||||
@{sys}/devices/system/cpu/** r,
|
|
||||||
/usr/share/** r,
|
|
||||||
/var/lib/dbus/machine-id r,
|
|
||||||
|
|
||||||
/usr/bin/env ix,
|
|
||||||
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
|
|
||||||
/usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
|
|
||||||
/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
|
|
||||||
|
|
||||||
# Why would java need this?
|
|
||||||
deny /usr/bin/gconftool-2 x,
|
|
||||||
|
|
||||||
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
|
|
||||||
owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
|
|
||||||
owner @{HOME}/ r,
|
|
||||||
owner @{HOME}/** rwk,
|
|
||||||
}
|
|
||||||
|
|
||||||
# Profile for commercial Javas. These need workarounds to work right (eg
|
|
||||||
# Sun's forcing of an executable stack (LP: #535247)).
|
|
||||||
profile browser_java {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/fonts>
|
|
||||||
include <abstractions/gnome>
|
|
||||||
include <abstractions/kde>
|
|
||||||
include <abstractions/nameservice>
|
|
||||||
include <abstractions/ssl_certs>
|
|
||||||
include <abstractions/user-tmp>
|
|
||||||
include <abstractions/private-files-strict>
|
|
||||||
|
|
||||||
network inet stream,
|
|
||||||
network inet6 stream,
|
|
||||||
@{PROC}/@{pid}/net/if_inet6 r,
|
|
||||||
@{PROC}/@{pid}/net/ipv6_route r,
|
|
||||||
@{PROC}/loadavg r,
|
|
||||||
|
|
||||||
/etc/debian_version r,
|
|
||||||
/etc/java-*/ r,
|
|
||||||
/etc/java-*/** r,
|
|
||||||
/etc/lsb-release r,
|
|
||||||
/etc/ssl/certs/java/* r,
|
|
||||||
/etc/timezone r,
|
|
||||||
/etc/writable/timezone r,
|
|
||||||
|
|
||||||
@{PROC}/@{pid}/ r,
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
|
||||||
@{PROC}/filesystems r,
|
|
||||||
@{sys}/devices/system/cpu/ r,
|
|
||||||
@{sys}/devices/system/cpu/** r,
|
|
||||||
/usr/share/** r,
|
|
||||||
/var/lib/dbus/machine-id r,
|
|
||||||
|
|
||||||
/usr/bin/env ix,
|
|
||||||
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
|
|
||||||
/usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
|
|
||||||
/usr/lib/j2*-ibm/jre/bin/java ix,
|
|
||||||
|
|
||||||
# noisy, can't write here anyway
|
|
||||||
deny /etc/.java/ w,
|
|
||||||
deny /etc/.java/** w,
|
|
||||||
|
|
||||||
deny /usr/bin/gconftool-2 x,
|
|
||||||
|
|
||||||
owner @{HOME}/ r,
|
|
||||||
owner @{HOME}/** rwk,
|
|
||||||
|
|
||||||
# These are seriously unfortunate, but required due to LP: #535247
|
|
||||||
/etc/passwd m,
|
|
||||||
owner @{HOME}/.java/**/cache/** m,
|
|
||||||
owner /tmp/** m,
|
|
||||||
/usr/lib{,32,64}/jvm/**/*.jar mr,
|
|
||||||
/usr/share/fonts/** m,
|
|
||||||
}
|
|
|
@ -1,9 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
|
||||||
# in the toplevel profile. Eg:
|
|
||||||
# include <abstractions/ubuntu-helpers>
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <abstractions/kde>
|
|
||||||
/usr/bin/kde4-config Cx -> sanitized_helper,
|
|
|
@ -1,11 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
# for mailto:
|
|
||||||
include <abstractions/ubuntu-email>
|
|
||||||
include <abstractions/ubuntu-console-email>
|
|
||||||
|
|
||||||
# Terminals for using console applications. These abstractions should ideally
|
|
||||||
# have 'ix' to restrct access to what only firefox is allowed to do
|
|
||||||
include <abstractions/ubuntu-gnome-terminal>
|
|
|
@ -1,51 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
|
||||||
# in the toplevel profile. Eg:
|
|
||||||
# include <abstractions/ubuntu-helpers>
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
include <abstractions/X>
|
|
||||||
|
|
||||||
# Pulseaudio
|
|
||||||
/usr/bin/pulseaudio Pixr,
|
|
||||||
|
|
||||||
# Image viewers
|
|
||||||
/usr/bin/eog Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/gimp* Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/shotwell Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/digikam Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/gwenview Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
include <abstractions/ubuntu-media-players>
|
|
||||||
owner @{HOME}/.adobe/ w,
|
|
||||||
owner @{HOME}/.adobe/** rw,
|
|
||||||
owner @{HOME}/.macromedia/ w,
|
|
||||||
owner @{HOME}/.macromedia/** rw,
|
|
||||||
/opt/real/RealPlayer/mozilla/nphelix.so rm,
|
|
||||||
/usr/bin/lpstat Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/lpr Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
# Bittorrent clients
|
|
||||||
include <abstractions/ubuntu-bittorrent-clients>
|
|
||||||
|
|
||||||
# Archivers
|
|
||||||
/usr/bin/ark Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/file-roller Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/xarchiver Cxr -> sanitized_helper,
|
|
||||||
/usr/local/lib{,32,64}/*.so* mr,
|
|
||||||
|
|
||||||
# News feed readers
|
|
||||||
include <abstractions/ubuntu-feed-readers>
|
|
||||||
|
|
||||||
# If we allow the above, nvidia based systems will also need this
|
|
||||||
include <abstractions/nvidia>
|
|
||||||
|
|
||||||
# Virus scanners
|
|
||||||
/usr/bin/clamscan Cx -> sanitized_helper,
|
|
||||||
|
|
||||||
# gxine (LP: #1057642)
|
|
||||||
/var/lib/xine/gxine.desktop r,
|
|
||||||
|
|
||||||
# For WebRTC camera access (LP: #1665535)
|
|
||||||
/dev/video[0-9]* rw,
|
|
|
@ -1,18 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
#
|
|
||||||
# Plugins/helpers
|
|
||||||
#
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
|
||||||
/usr/lib/** rm,
|
|
||||||
/{,usr/}bin/bash ixr,
|
|
||||||
/{,usr/}bin/dash ixr,
|
|
||||||
/{,usr/}bin/grep ixr,
|
|
||||||
/{,usr/}bin/sed ixr,
|
|
||||||
/usr/bin/m4 ixr,
|
|
||||||
|
|
||||||
# Since all the ubuntu-browsers.d abstractions need this, just include it
|
|
||||||
# here
|
|
||||||
include <abstractions/ubuntu-helpers>
|
|
|
@ -1,26 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
|
||||||
# in the toplevel profile. Eg:
|
|
||||||
# include <abstractions/ubuntu-helpers>
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
# Openoffice.org
|
|
||||||
/usr/bin/ooffice Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/oocalc Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/oodraw Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/ooimpress Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/oowriter Cxr -> sanitized_helper,
|
|
||||||
/usr/lib/openoffice/program/soffice Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
# LibreOffice
|
|
||||||
/usr/bin/libreoffice Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/localc Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/lodraw Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/loimpress Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/lowriter Cxr -> sanitized_helper,
|
|
||||||
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
# PDFs
|
|
||||||
/usr/bin/evince Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/okular Cxr -> sanitized_helper,
|
|
|
@ -1,16 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
|
||||||
# in the toplevel profile. Eg:
|
|
||||||
# include <abstractions/ubuntu-helpers>
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
# Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
|
|
||||||
/usr/bin/emacsclient.emacs-snapshot Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/emacsclient.emacs2[2-9] Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/emacs-snapshot-gtk Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/gedit Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/vim.gnome Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/leafpad Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/mousepad Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/kate Cxr -> sanitized_helper,
|
|
|
@ -1,37 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
# Users of this abstraction need to include the ubuntu-helpers abstraction
|
|
||||||
# in the toplevel profile. Eg:
|
|
||||||
# include <abstractions/ubuntu-helpers>
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
# Apport
|
|
||||||
/usr/bin/apport-bug Cx -> sanitized_helper,
|
|
||||||
|
|
||||||
# Package installation
|
|
||||||
/usr/bin/apturl Cxr -> sanitized_helper,
|
|
||||||
/usr/share/software-center/software-center Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
# Input Methods
|
|
||||||
/usr/bin/scim Cx -> sanitized_helper,
|
|
||||||
/usr/bin/scim-bridge Cx -> sanitized_helper,
|
|
||||||
|
|
||||||
# File managers
|
|
||||||
/usr/bin/nautilus Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/{t,T}hunar Cxr -> sanitized_helper,
|
|
||||||
/usr/bin/dolphin Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
# Themes
|
|
||||||
/usr/bin/gnome-appearance-properties Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
# Kubuntu
|
|
||||||
/usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
|
|
||||||
|
|
||||||
# Exo-aware applications
|
|
||||||
include <abstractions/exo-open>
|
|
||||||
|
|
||||||
# unity webapps integration. Could go in its own abstraction
|
|
||||||
owner /run/user/*/dconf/user rw,
|
|
||||||
owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
|
|
||||||
/usr/bin/debconf-communicate Cxr -> sanitized_helper,
|
|
||||||
owner @{HOME}/.config/libaccounts-glib/accounts.db rk,
|
|
|
@ -1,8 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
# firefox-notify
|
|
||||||
include <abstractions/python>
|
|
||||||
/usr/bin/python2.[4567] ix,
|
|
||||||
/usr/share/xul-ext/notify/**/download_complete_notify.py ix,
|
|
|
@ -1,30 +0,0 @@
|
||||||
# vim:syntax=apparmor
|
|
||||||
|
|
||||||
abi <abi/3.0>,
|
|
||||||
|
|
||||||
# Allow read to all files user has DAC access to and write access to all
|
|
||||||
# files owned by the user in $HOME.
|
|
||||||
@{HOME}/ r,
|
|
||||||
@{HOME}/** r,
|
|
||||||
owner @{HOME}/** w,
|
|
||||||
|
|
||||||
# Do not allow read and/or write to particularly sensitive/problematic files
|
|
||||||
include <abstractions/private-files>
|
|
||||||
audit deny @{HOME}/.ssh/{,**} mrwkl,
|
|
||||||
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
|
|
||||||
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
|
|
||||||
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
|
|
||||||
|
|
||||||
# Comment this out if using gpg plugin/addons
|
|
||||||
audit deny @{HOME}/.gnupg/{,**} mrwkl,
|
|
||||||
|
|
||||||
# Allow read to all files user has DAC access to and write for files the user
|
|
||||||
# owns on removable media and filesystems.
|
|
||||||
/media/** r,
|
|
||||||
/mnt/** r,
|
|
||||||
/srv/** r,
|
|
||||||
/net/** r,
|
|
||||||
owner /media/** w,
|
|
||||||
owner /mnt/** w,
|
|
||||||
owner /srv/** w,
|
|
||||||
owner /net/** w,
|
|
Loading…
Reference in a new issue