git » apparmor » commit 59f6bfb

Add iceweasel, irssi and rtorrent

author Alberto Bertogli
2014-04-09 21:34:14 UTC
committer Alberto Bertogli
2014-04-09 21:34:14 UTC
Add iceweasel, irssi and rtorrent
usr.bin.iceweasel +121 -0
usr.bin.irssi +16 -0
usr.bin.rtorrent +15 -0 
diff --git a/usr.bin.iceweasel b/usr.bin.iceweasel
new file mode 100644
index 0000000..8df7bb2
--- /dev/null
+++ b/usr.bin.iceweasel
@@ -0,0 +1,121 @@
+# Alberto - 2014-03-08
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+/usr/lib/iceweasel/iceweasel {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+  #include <abstractions/fonts>
+  #include <abstractions/audio>
+  #include <abstractions/X>
+
+  # Access iceweasel files.
+  /usr/lib/mozilla/** r,
+  /usr/lib/iceweasel/** r,
+  /etc/iceweasel/** r,
+
+  # Make browsing directories work
+  / r,
+  /**/ r,
+
+  # Allow access to documentation and other files the user may want to look
+  # at in /usr
+  /usr/{include,share,src}** r,
+
+  # Default profile allows downloads to ~/Downloads and uploads from ~/Public
+  owner @{HOME}/ r,
+  owner @{HOME}/Public/ r,
+  owner @{HOME}/Public/* r,
+  owner @{HOME}/Downloads/ r,
+  owner @{HOME}/Downloads/* rw,
+
+  # Helpers
+  /usr/bin/xdg-open ixr,
+  /usr/bin/gnome-open ixr,
+  /usr/bin/gvfs-open ixr,
+
+  # Configuration and caches.
+  owner @{HOME}/.mozilla/ rw,
+  owner @{HOME}/.mozilla/** rwk,
+  owner @{HOME}/.cache/ rw,
+  owner @{HOME}/.cache/** rwk,
+  owner @{HOME}/.gnome2/ rw,
+  owner @{HOME}/.gnome2/** rw,
+  owner @{HOME}/.gnome2_private/ rw,
+  owner @{HOME}/.gnome2_private/** rw,
+
+  # System level stuff.
+  /proc/*/** r,
+  /usr/lib/** rm,
+  /var/lib/dbus/machine-id r,
+  /etc/gnome-vfs-2.0/modules/* r,
+  /etc/drirc r,
+  /etc/mozpluggerrc r,
+  /etc/mime.types r,
+  /etc/mailcap r,
+  /sys/devices/system/cpu/present r,
+
+  # It needs to run m4 when ran for the first time.
+  /usr/bin/m4 ixr,
+
+  # Run dbus-launch, which runs dbus-daemon if it's not there already.
+  # We trust it enough to run unrestricted, but after cleaning the
+  # environment.
+  /usr/bin/dbus-launch Uxr,
+
+  # Run xulrunner/plugin-container.
+  # Note we need to use lowercase 'c' as Firefox *will* do tricks with the
+  # environment. It is still under the sub-profile, though.
+  /usr/lib/xulrunner-*/plugin-container cxr -> plugin_container,
+  /usr/lib/iceweasel/xulrunner/plugin-container cxr -> plugin_container,
+  /usr/lib/iceweasel/xulrunner/** rm,
+
+  profile plugin_container {
+    #include <abstractions/base>
+    #include <abstractions/user-tmp>
+    #include <abstractions/fonts>
+    #include <abstractions/audio>
+    #include <abstractions/X>
+
+    @{PROC}/[0-9]*/cmdline r,
+
+    # The plugin container needs to run small scripts.
+    # Let it get a shell, a normal ps, and grep; which seems to be enough.
+    /bin/dash ixr,
+    /bin/ps Uxr,
+    /bin/grep ixr,
+
+    # Files it really needs to access (including executable mappings to the
+    # xulrunner libraries).
+    /usr/lib/iceweasel/xulrunner/** rm,
+    /usr/lib/xulrunner-*/** rm,
+
+    # Read, but not write, from our profile.
+    owner @{HOME}/.mozilla/** r,
+    /etc/passwd r,
+
+    # The flash plugin needs these, both to the directory to create it if it
+    # doesn't exist, and full access within.
+    # Note this is the only special place it can write to (other than tmp,
+    # audio, etc.).
+    owner @{HOME}/.adobe/ rw,
+    owner @{HOME}/.adobe/** rw,
+    owner @{HOME}/.macromedia/ rw,
+    owner @{HOME}/.macromedia/** rw,
+
+    # Miscellaneous things that are required and safe to read.
+    /usr/share/icons/** r,
+    /usr/share/themes/** r,
+    /etc/vdpau_wrapper.cfg r,
+    /etc/machine-id r,
+
+    # We're not giving it full nameservice permissions, but it needs these.
+    /etc/nsswitch.conf r,
+    /etc/group r,
+    /etc/host.conf r,
+    /etc/resolv.conf r,
+    /etc/hosts r,
+  }
+}
diff --git a/usr.bin.irssi b/usr.bin.irssi
new file mode 100644
index 0000000..abb170a
--- /dev/null
+++ b/usr.bin.irssi
@@ -0,0 +1,16 @@
+# vim:syntax=apparmor
+# Alberto - 26/Oct/2013
+
+#include <tunables/global>
+
+/usr/bin/irssi {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+    #include <abstractions/perl>
+
+    @{HOME}/irclogs/** rwk,
+    @{HOME}/.irssi/** rwk,
+    /usr/share/irssi/ r,
+    /usr/share/irssi/** r,
+}
+
diff --git a/usr.bin.rtorrent b/usr.bin.rtorrent
new file mode 100644
index 0000000..17b88f0
--- /dev/null
+++ b/usr.bin.rtorrent
@@ -0,0 +1,15 @@
+# vim:syntax=apparmor
+# Alberto - 26/Oct/2013
+
+#include <tunables/global>
+
+/usr/bin/rtorrent {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+
+    @{HOME}/.rtorrent-session/ r,
+    @{HOME}/.rtorrent-session/** rwk,
+    @{HOME}/.rtorrent.rc r,
+    /var/media/torrent/** rwk,
+}
+