Based on Cameron Norman's initial work
(http://bazaar.launchpad.net/~cameronnemo/apparmor/gnome-abstraction/revision/3111) with the following changes:
* don't include GTK+ 3.0 configuration: already done earlier
* generalize to future GLib versions
* support /usr/local
* allow reading the parent directory as well, following the lead
of usr.lib.telepathy: this is harmless and could be needed in some cases.
This is the least invasive solution to the problem I'm trying to solve
right now (Evince not starting in GNOME on Wayland, and probably
similar issues for other GNOME applications I suppose).
At some point, we will probably want to source the wayland abstraction
from other desktop environments' abstractions, or simply from the
X one. Let's come back to it once people using these other desktop
environments on Wayland with AppArmor enabled tell us what policy
change is needed to make it work for them.
In Debian, gnome-session (3.20.1-2)'s changelog reads:
If /etc/gnome/defaults.list was modified by the system administrator,
the file is moved to /etc/xdg/gnome-mimeapps.list during the upgrade.
So we want to at least support /etc/xdg/gnome-mimeapps.list. And while
we're at it, let's support *-mimeapps.list instead of just gnome-mimeapps.list,
in case other desktop environments or derivatives need such customizations.
socket. Note, DBus mediation is still in effect so rules still need to be added
for accessing the DBus API (LP: #1375067)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
From: Simon Deziel <simon.deziel@gmail.com>
A fair number of the rules that apply to files in @{HOME} predate the
existence of the 'owner' qualifier. This patch adds the 'owner'
qualifier in several places.
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
This patch adds the kernelvars tunable to the global set that is usually
included by default in apparmor policies. It then converts the rules
that are intended to match /proc/pid to use this tunable.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
/usr/share/poppler/cMap/**. These files are included in the poppler-data
package on Ubuntu, and their 'r' denials create quite a bit of noise.
Apparently they are needed to display PDF documents containing CJK
characters with libpoppler. I added it to the gnome abstraction because
several applications not linked against poppler are consulting this
data.
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Steve Langasek <steve.langasek@linaro.org>,
Steve Beattie <sbeattie@ubuntu.com>
Description: add multiarch support to abstractions
Bug-Ubuntu: https://bugs.launchpad.net/bugs/736870
This patch add multiarch support for common shared library locations, as
well as a tunables file and directory to ease adding addiotional
multiarch paths.
Bug: https://launchpad.net/bugs/736870
make the final install layout match the layout in the repository (at
long last :) -- now we can use a single 'make check' target to check the
profiles in the repository against both apparmor_parser and logprof.
2007-05-16 18:51:46 +00:00
Renamed from profiles/abstractions/gnome (Browse further)
