add Ubuntu-specific profiles/apparmor.d/abstractions/ubuntu-browsers.d/*

for use with browser profiles
2025-03-04 16:35:02 +01:00 · 2010-08-06 16:01:57 -05:00 · 2010-08-06 16:01:57 -05:00 · d472cf13b1
commit d472cf13b1
parent eace04e2e7
9 changed files with 220 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@ -0,0 +1,104 @@
+  # Java plugin
+  @{HOME}/.java/deployment/deployment.properties k,
+  /etc/java-*/ r,
+  /etc/java-*/** r,
+  /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> firefox_openjdk,
+  /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> firefox_java,
+  /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> firefox_java,
+  /usr/lib/j2*-ibm/jre/bin/java cx -> firefox_java,
+
+  # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
+  # unfortunate workarounds of the proprietary Javas, so have a separate
+  # profile.
+  profile firefox_openjdk {
+    #include <abstractions/base>
+    #include <abstractions/fonts>
+    #include <abstractions/gnome>
+    #include <abstractions/kde>
+    #include <abstractions/nameservice>
+    #include <abstractions/ssl_certs>
+    #include <abstractions/user-tmp>
+    #include <abstractions/private-files-strict>
+
+    network inet stream,
+    network inet6 stream,
+    @{PROC}/[0-9]*/net/if_inet6 r,
+    @{PROC}/[0-9]*/net/ipv6_route r,
+
+    /etc/java-*/ r,
+    /etc/java-*/** r,
+    /etc/lsb-release r,
+    /etc/ssl/certs/java/* r,
+    /etc/timezone r,
+
+    @{PROC}/[0-9]*/ r,
+    @{PROC}/[0-9]*/fd/ r,
+    @{PROC}/filesystems r,
+    /sys/devices/system/cpu/ r,
+    /sys/devices/system/cpu/** r,
+    /usr/share/** r,
+    /var/lib/dbus/machine-id r,
+
+    /usr/bin/env ix,
+    /usr/lib/jvm/java-6-openjdk/jre/bin/java ix,
+    /usr/lib/jvm/java-6-openjdk/jre/lib/i386/client/classes.jsa m,
+
+    # Why would java need this?
+    deny /usr/bin/gconftool-2 x,
+
+    owner @{HOME}/ r,
+    owner @{HOME}/** rwk,
+  }
+
+  # Profile for commercial Javas. These need workarounds to work right (eg
+  # Sun's forcing of an executable stack (LP: #535247)).
+  profile firefox_java {
+    #include <abstractions/base>
+    #include <abstractions/fonts>
+    #include <abstractions/gnome>
+    #include <abstractions/kde>
+    #include <abstractions/nameservice>
+    #include <abstractions/ssl_certs>
+    #include <abstractions/user-tmp>
+    #include <abstractions/private-files-strict>
+
+    network inet stream,
+    network inet6 stream,
+    @{PROC}/[0-9]*/net/if_inet6 r,
+    @{PROC}/[0-9]*/net/ipv6_route r,
+
+    /etc/java-*/ r,
+    /etc/java-*/** r,
+    /etc/lsb-release r,
+    /etc/ssl/certs/java/* r,
+    /etc/timezone r,
+
+    @{PROC}/[0-9]*/ r,
+    @{PROC}/[0-9]*/fd/ r,
+    @{PROC}/filesystems r,
+    /sys/devices/system/cpu/ r,
+    /sys/devices/system/cpu/** r,
+    /usr/share/** r,
+    /var/lib/dbus/machine-id r,
+
+    /usr/bin/env ix,
+    /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
+    /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
+    /usr/lib/j2*-ibm/jre/bin/java ix,
+
+    # noisy, can't write here anyway
+    deny /etc/.java/ w,
+    deny /etc/.java/** w,
+
+    deny /usr/bin/gconftool-2 x,
+
+    owner @{HOME}/ r,
+    owner @{HOME}/** rwk,
+
+    # These are seriously unfortunate, but required due to LP: #535247
+    /etc/passwd m,
+    owner @{HOME}/.java/**/cache/** m,
+    owner /tmp/** m,
+    /usr/lib{,32,64}/jvm/**/*.jar mr,
+    /usr/share/fonts/** m,
+  }
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde
@ -0,0 +1,2 @@
+  #include <abstractions/kde>
+  /usr/bin/kde4-config Ux,	# TODO: use PUx when apparmor is adjusted
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto
@ -0,0 +1,8 @@
+  # for mailto:
+  #include <abstractions/ubuntu-email>
+  #include <abstractions/ubuntu-console-email>
+
+  # Terminals for using console applications. These abstractions should ideally
+  # have 'ix' to restrct access to what only firefox is allowed to do
+  #include <abstractions/ubuntu-gnome-terminal>
+
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia
@ -0,0 +1,33 @@
+  # Pulseaudio
+  /usr/bin/pulseaudio ixr,
+
+  # Image viewers
+  /usr/bin/eog PUxr,
+  /usr/bin/gimp* PUxr,
+
+  #include <abstractions/ubuntu-media-players>
+  owner @{HOME}/.macromedia/** rw,
+  /opt/real/RealPlayer/mozilla/nphelix.so rm,
+
+  # npviewer
+  /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr,
+  /var/lib/ r,
+  /var/lib/**/*.so mr,
+  /usr/bin/setarch ixr,
+
+  # Bittorrent clients
+  #include <abstractions/ubuntu-bittorrent-clients>
+
+  # Mozplugger
+  /etc/mozpluggerrc r,
+  /usr/bin/mozplugger-helper PUxr,
+
+  # Archivers
+  /usr/bin/ark PUxr,
+  /usr/bin/file-roller PUxr,
+  /usr/bin/xarchiver PUxr,
+  /usr/local/lib{,32,64}/*.so* mr,
+
+  # TODO: check this
+  #include <abstractions/X>
+  /usr/bin/liferea-add-feed PUxr,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common
@ -0,0 +1,12 @@
+  #
+  # Plugins/helpers
+  #
+  @{PROC}/[0-9]*/fd/ r,
+  /usr/lib/** rm,
+  /bin/bash ixr,
+  /bin/dash ixr,
+  /bin/grep ixr,
+  /bin/sed ixr,
+  /usr/bin/m4 ixr,
+
+
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity
@ -0,0 +1,15 @@
+  # Openoffice.org
+  /usr/bin/ooffice PUxr,
+  /usr/bin/oocalc PUxr,
+  /usr/bin/oodraw PUxr,
+  /usr/bin/ooimpress PUxr,
+  /usr/bin/oowriter PUxr,
+  /usr/lib/openoffice/program/soffice PUxr,
+
+  # PDFs
+  /usr/bin/evince PUxr,
+  /usr/bin/okular PUxr,
+  owner @{HOME}/.adobe/** rw,
+
+  /opt/Adobe/Reader9/bin/acroread PUxr,
+  /opt/Adobe/Reader9/** r,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors
@ -0,0 +1,8 @@
+  # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125])
+  /usr/bin/emacsclient.emacs-snapshot PUxr,
+  /usr/bin/emacsclient.emacs22 PUxr,
+  /usr/bin/gedit PUxr,
+  /usr/bin/vim.gnome PUxr,
+  /usr/bin/leafpad PUxr,
+  /usr/bin/mousepad PUxr,
+
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration
@ -0,0 +1,15 @@
+  # Apport
+  /usr/bin/apport-bug PUx,
+
+  # Package installation
+  /usr/bin/apturl PUxr,
+  /usr/bin/gnome-codec-install PUxr,
+  /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix,
+
+  # Input Methods
+  /usr/bin/scim PUx,
+  /usr/bin/scim-bridge PUx,
+
+  # File managers
+  /usr/bin/nautilus PUxr,
+  /usr/bin/thunar PUxr,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
@ -0,0 +1,23 @@
+  # Allow read to all files user has DAC access to and write access to all
+  # files owned by the user in $HOME.
+  @{HOME}/ r,
+  @{HOME}/** r,
+  owner @{HOME}/** w,
+  owner @{HOME}/Desktop/** r,
+
+  # Do not allow read and/or write to particularly sensitive/problematic files
+  #include <abstractions/private-files>
+  audit deny @{HOME}/.ssh/** mrwkl,
+  audit deny @{HOME}/.gnome2_private/** mrwkl,
+
+  # Comment this out if using gpg plugin/addons
+  audit deny @{HOME}/.gnupg/** mrwkl,
+
+  # Allow read to all files user has DAC access to and write for files the user
+  # owns on removable media and filesystems.
+  /media/** r,
+  /mnt/** r,
+  /srv/** r,
+  owner /media/** w,
+  owner /mnt/** w,
+  owner /srv/** w,