apparmor/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

# vim:syntax=apparmor
# Users of this abstraction need to #include the ubuntu-helpers abstraction
# in the toplevel profile. Eg:
# #include <abstractions/ubuntu-helpers>

  #include <abstractions/X>

  # Pulseaudio
  /usr/bin/pulseaudio Pixr,

  # Image viewers
  /usr/bin/eog Cxr -> sanitized_helper,
  /usr/bin/gimp* Cxr -> sanitized_helper,
  /usr/bin/shotwell Cxr -> sanitized_helper,
  /usr/bin/digikam Cxr -> sanitized_helper,
  /usr/bin/f-spot Cxr -> sanitized_helper,
  /usr/bin/gwenview Cxr -> sanitized_helper,

  #include <abstractions/ubuntu-media-players>
  owner @{HOME}/.adobe/ w,
  owner @{HOME}/.adobe/** rw,
  owner @{HOME}/.macromedia/ w,
  owner @{HOME}/.macromedia/** rw,
  /opt/real/RealPlayer/mozilla/nphelix.so rm,
  /usr/bin/lpstat Cxr -> sanitized_helper,
  /usr/bin/lpr Cxr -> sanitized_helper,

  # npviewer
  /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr,
  /var/lib/ r,
  /var/lib/**/*.so mr,
  /usr/bin/setarch ixr,

  # Bittorrent clients
  #include <abstractions/ubuntu-bittorrent-clients>

  # Mozplugger
  /etc/mozpluggerrc r,
  /usr/bin/mozplugger-helper Cxr -> sanitized_helper,

  # Archivers
  /usr/bin/ark Cxr -> sanitized_helper,
  /usr/bin/file-roller Cxr -> sanitized_helper,
  /usr/bin/xarchiver Cxr -> sanitized_helper,
  /usr/local/lib{,32,64}/*.so* mr,

  # News feed readers
  #include <abstractions/ubuntu-feed-readers>

  # Googletalk
  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin ixr,
  owner @{HOME}/.config/google-googletalkplugin/** rw,

  # If we allow the above, nvidia based systems will also need this
  #include <abstractions/nvidia>

  # Virus scanners
  /usr/bin/clamscan Cx -> sanitized_helper,

  # gxine (LP: #1057642)
  /var/lib/xine/gxine.desktop r,

  # For WebRTC camera access (LP: #1665535)
  /dev/video[0-9]* rw,
update ubuntu abstractions to use '# vim:syntax=apparmor' 2010-12-21 12:53:33 -06:00			`# vim:syntax=apparmor`
don't #include ubuntu-helpers in the abstractions. This can only be included once in policy, otherwise you will get an error regarding multiple definitions for sanitized_helper 2012-01-11 09:00:35 +01:00			`# Users of this abstraction need to #include the ubuntu-helpers abstraction`
			`# in the toplevel profile. Eg:`
			`# #include <abstractions/ubuntu-helpers>`
update ubuntu abstractions to use '# vim:syntax=apparmor' 2010-12-21 12:53:33 -06:00
create ubuntu-feed-readers abstraction and have ubuntu-browsers.d/multimedia use it instead of specifying liferea directly 2010-08-11 09:58:34 -05:00			`#include <abstractions/X>`

add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use with browser profiles 2010-08-06 16:01:57 -05:00			`# Pulseaudio`
Subject: profiles - adjust pusleaudio in abstraction I was testing out a profile for pulseaudio and hit an issue where my pulseaudio process was getting the firefox profile applied to it. This is because in abstractions/ubuntu-browsers.d/multimedia the rule for pulseaudio is /usr/bin/pulseaudio ixr; attached is a patch to change it to Pixr, so as to use a global pulseaudio policy if it exists. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-by: John Johansen <john.johansen@canonical.com> 2013-01-09 15:12:06 -08:00			`/usr/bin/pulseaudio Pixr,`
add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use with browser profiles 2010-08-06 16:01:57 -05:00
			`# Image viewers`
update ubuntu abstractions to use the sanitized helper 2012-01-10 20:54:38 +01:00			`/usr/bin/eog Cxr -> sanitized_helper,`
			`/usr/bin/gimp* Cxr -> sanitized_helper,`
			`/usr/bin/shotwell Cxr -> sanitized_helper,`
			`/usr/bin/digikam Cxr -> sanitized_helper,`
			`/usr/bin/f-spot Cxr -> sanitized_helper,`
			`/usr/bin/gwenview Cxr -> sanitized_helper,`
add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use with browser profiles 2010-08-06 16:01:57 -05:00
			`#include <abstractions/ubuntu-media-players>`
Updated abstractions to allow creating some common config dirs 2018-08-08 19:28:25 -04:00			`owner @{HOME}/.adobe/ w,`
Updated abstractions to allow writing to some common config dirs 2018-08-08 19:29:20 -04:00			`owner @{HOME}/.adobe/** rw,`
Updated abstractions to allow creating some common config dirs 2018-08-08 19:28:25 -04:00			`owner @{HOME}/.macromedia/ w,`
add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use with browser profiles 2010-08-06 16:01:57 -05:00			`owner @{HOME}/.macromedia/** rw,`
			`/opt/real/RealPlayer/mozilla/nphelix.so rm,`
update ubuntu abstractions to use the sanitized helper 2012-01-10 20:54:38 +01:00			`/usr/bin/lpstat Cxr -> sanitized_helper,`
			`/usr/bin/lpr Cxr -> sanitized_helper,`
add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use with browser profiles 2010-08-06 16:01:57 -05:00
			`# npviewer`
			`/usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr,`
			`/var/lib/ r,`
			`/var/lib/*/.so mr,`
			`/usr/bin/setarch ixr,`

			`# Bittorrent clients`
			`#include <abstractions/ubuntu-bittorrent-clients>`

			`# Mozplugger`
			`/etc/mozpluggerrc r,`
update ubuntu abstractions to use the sanitized helper 2012-01-10 20:54:38 +01:00			`/usr/bin/mozplugger-helper Cxr -> sanitized_helper,`
add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use with browser profiles 2010-08-06 16:01:57 -05:00
			`# Archivers`
update ubuntu abstractions to use the sanitized helper 2012-01-10 20:54:38 +01:00			`/usr/bin/ark Cxr -> sanitized_helper,`
			`/usr/bin/file-roller Cxr -> sanitized_helper,`
			`/usr/bin/xarchiver Cxr -> sanitized_helper,`
add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/* for use with browser profiles 2010-08-06 16:01:57 -05:00			`/usr/local/lib{,32,64}/.so mr,`

create ubuntu-feed-readers abstraction and have ubuntu-browsers.d/multimedia use it instead of specifying liferea directly 2010-08-11 09:58:34 -05:00			`# News feed readers`
			`#include <abstractions/ubuntu-feed-readers>`
fix LP: #626451 (GoogleTalk in ubuntu-browsers.d/multimedia) 2010-09-08 08:51:06 -05:00
			`# Googletalk`
			`/opt/google/talkplugin/*.so mr,`
			`/opt/google/talkplugin/lib/*.so mr,`
			`/opt/google/talkplugin/GoogleTalkPlugin ixr,`
			`owner @{HOME}/.config/google-googletalkplugin/** rw,`
Nvidia users need access to /dev/nvidia* files for various plugins to work right. Since these are all focused around multimedia, add the accesses to ubuntu-browsers.d/multimedia 2012-01-03 17:24:04 -06:00
Subject: profiles - nvidia abstraction cleanups This patch modifies the nvidia abstraction to add the livdpau wrapper config file for nvidia workarounds. It also converts the /proc/ rules to use the @{PROC} tunable. And finally, it converts the ubuntu-browsers.d/multimedia abstraction to use the nvidia abstraction. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Jamie Strandboge <jamie@canonical.com> 2013-01-02 14:39:45 -08:00			`# If we allow the above, nvidia based systems will also need this`
			`#include <abstractions/nvidia>`
allow fireclam plugin to work in Ubuntu multimedia abstraction (LP: #562831) 2012-01-03 17:50:00 -06:00
			`# Virus scanners`
update ubuntu abstractions to use the sanitized helper 2012-01-10 20:54:38 +01:00			`/usr/bin/clamscan Cx -> sanitized_helper,`
Description: /etc/vdpau_wrapper.cfg needed for Firefox 18+ on quantal Author: Micah Gersten <micah@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Modified by Seth Arnold; nvidia nvpau_wrapper.cfg permission was hoisted up into an nvidia abstraction. 2014-02-13 17:17:46 -08:00
			`# gxine (LP: #1057642)`
			`/var/lib/xine/gxine.desktop r,`
* Fix LP: #1665535 - Enable camera access in browser apparmor profile for WebRTC 2017-02-17 20:42:19 +00:00
			`# For WebRTC camera access (LP: #1665535)`
			`/dev/video[0-9]* rw,`