apparmor-easyprof-ubuntu-1.1.16/0000775000000000000000000000000012230275270013457 5ustar apparmor-easyprof-ubuntu-1.1.16/debian/0000775000000000000000000000000012321314151014672 5ustar apparmor-easyprof-ubuntu-1.1.16/debian/compat0000664000000000000000000000000212053206130016067 0ustar 9 apparmor-easyprof-ubuntu-1.1.16/debian/README.source0000664000000000000000000000062412274260676017076 0ustar In Ubuntu, we will use MAJOR.MINOR for the policy version, ignoring MICRO. Therefore, this package uses a version number of 1.0.0 for the initial release and ships policy in ubuntu/1.0. The 1.0.1 release will make changes to ubuntu/1.0 while 1.1.0 will start shipping policy for ubuntu/1.1. When adding templates and policy groups, you should also adjust the debian/tests/install_* autopkgtest scripts. apparmor-easyprof-ubuntu-1.1.16/debian/tests/0000775000000000000000000000000012274267377016064 5ustar apparmor-easyprof-ubuntu-1.1.16/debian/tests/installed_policy_groups0000775000000000000000000000364212274257016022741 0ustar #!/bin/sh # Author: Jamie Strandboge # Copyright (C) 2013 Canonical Ltd. # # This script is distributed under the terms and conditions of the GNU General # Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html # for details. set -e # Note, we don't need to run apparmor_parser because aa-easyprof will do that # for us if apparmor_parser is found rc="0" expected_policy_groups_10="accounts audio calendar camera connectivity contacts content_exchange content_exchange_source friends history location microphone music_files music_files_read networking picture_files picture_files_read sensors usermetrics video video_files video_files_read" expected_policy_groups_11="accounts audio calendar camera connectivity contacts content_exchange content_exchange_source friends history location microphone music_files music_files_read networking picture_files picture_files_read sensors usermetrics video video_files video_files_read webview" for v in 1.0 1.1 ; do expected_groups="$expected_policy_groups_10" if [ "$v" = "1.1" ]; then expected_groups="$expected_policy_groups_11" fi tmp=`aa-easyprof --list-policy-groups --policy-vendor=ubuntu --policy-version=$v` for p in $expected_groups ; do found="" for i in $tmp ; do if [ "$p" = "$i" ]; then found="yes" continue fi done if [ -z "$found" ]; then echo "Could not find '$p'" >&2 rc="1" fi done unexpected="" for p in $tmp ; do found="" for i in $expected_groups ; do if [ "$p" = "$i" ]; then found="yes" continue fi done if [ -z "$found" ]; then echo "Found unexpected '$p'" >&2 rc="1" fi done done if [ "$rc" = "0" ]; then echo "PASS" else echo "FAIL" fi exit "$rc" apparmor-easyprof-ubuntu-1.1.16/debian/tests/control0000664000000000000000000000013312274256720017452 0ustar Tests: installed_policy_groups installed_templates Depends: @, apparmor, apparmor-easyprof apparmor-easyprof-ubuntu-1.1.16/debian/tests/installed_templates0000775000000000000000000000274612274260047022043 0ustar #!/bin/sh # Author: Jamie Strandboge # Copyright (C) 2014 Canonical Ltd. # # This script is distributed under the terms and conditions of the GNU General # Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html # for details. set -e # Note, we don't need to run apparmor_parser because aa-easyprof will do that # for us if apparmor_parser is found rc="0" expected_templates_10="default ubuntu-sdk ubuntu-webapp unconfined" expected_templates_11="default ubuntu-sdk ubuntu-webapp unconfined" for v in 1.0 1.1 ; do expected_templates="$expected_templates_10" if [ "$v" = "1.1" ]; then expected_templates="$expected_templates_11" fi tmp=`aa-easyprof --list-templates --policy-vendor=ubuntu --policy-version=$v` for p in $expected_templates ; do found="" for i in $tmp ; do if [ "$p" = "$i" ]; then found="yes" continue fi done if [ -z "$found" ]; then echo "Could not find '$p'" >&2 rc="1" fi done unexpected="" for p in $tmp ; do found="" for i in $expected_templates ; do if [ "$p" = "$i" ]; then found="yes" continue fi done if [ -z "$found" ]; then echo "Found unexpected '$p'" >&2 rc="1" fi done done if [ "$rc" = "0" ]; then echo "PASS" else echo "FAIL" fi exit "$rc" apparmor-easyprof-ubuntu-1.1.16/debian/source/0000775000000000000000000000000012053211760016176 5ustar apparmor-easyprof-ubuntu-1.1.16/debian/source/format0000664000000000000000000000001512053211760017405 0ustar 3.0 (native) apparmor-easyprof-ubuntu-1.1.16/debian/control0000664000000000000000000000077012317344507016316 0ustar Source: apparmor-easyprof-ubuntu Section: admin Priority: optional Maintainer: Jamie Strandboge Build-Depends: debhelper (>= 9), python3-minimal, apparmor-easyprof Standards-Version: 3.9.3 XS-Testsuite: autopkgtest Package: apparmor-easyprof-ubuntu Architecture: all Depends: ${misc:Depends}, apparmor (>= 2.8.95~2430-0ubuntu4) Description: AppArmor easyprof templates for Ubuntu Provides AppArmor easyprof templates and policygroups suitable for use with the Ubuntu app ecosystem. apparmor-easyprof-ubuntu-1.1.16/debian/changelog0000664000000000000000000007165012321314151016555 0ustar apparmor-easyprof-ubuntu (1.1.16) trusty; urgency=medium * 1.1/webview: update to allow exec of chrome-sandbox now that oxide is doing a proper fork/exec -- Jamie Strandboge Wed, 09 Apr 2014 13:58:10 -0500 apparmor-easyprof-ubuntu (1.1.15) trusty; urgency=medium * 1.*/unconfined: update for ptrace and signal * 1.1/music_files*: add rules for talking to the media-hub-server and read access to mediascanner files * 1.1/video_files*: add rules for talking to the media-hub-server and read access to mediascanner files -- Jamie Strandboge Tue, 08 Apr 2014 07:09:42 -0500 apparmor-easyprof-ubuntu (1.1.14) trusty; urgency=medium * 1.1/webview: update for ptrace and signal mediation (LP: #1298611) * debian/control: Depends on apparmor >= 2.8.95~2430-0ubuntu4 -- Jamie Strandboge Thu, 03 Apr 2014 15:19:23 -0500 apparmor-easyprof-ubuntu (1.1.13) trusty; urgency=medium * 1.1/webview (LP: #1301351) - add 'mr' for chrome-sandbox and oxide-renderer - allow 'r' for @{PROC}/sys/kernel/yama/ptrace_scope -- Jamie Strandboge Wed, 02 Apr 2014 09:11:49 -0500 apparmor-easyprof-ubuntu (1.1.12) trusty; urgency=medium * 1.1/webview: suppress denial for write to /usr/bin/locales/ like we do for /usr/lib/@{multiarch}/oxide-qt/locales/ already since it is confusing for people who are diagnosing oxide issues (LP: #1260044) -- Jamie Strandboge Mon, 31 Mar 2014 13:14:37 -0500 apparmor-easyprof-ubuntu (1.1.11) trusty; urgency=medium * 1.0/ubuntu-*: explicitly deny access to oxide files so webbrowser-app's fallback mechanism to QtWebKit works correctly. This is needed so 13.10 framework webapps don't regress * 1.1/webview: prevent certificate db poisoning and disallow write access to @{HOME}/.pki/nssdb/*. Note, while this prevents cert attacks, it doesn't prevent information disclosure so once LP: 1260048 is fixed in oxide, we can remove the read access. -- Jamie Strandboge Fri, 28 Mar 2014 09:57:13 -0500 apparmor-easyprof-ubuntu (1.1.10) trusty; urgency=medium * 1.*/ubuntu-*: - add read access to /usr/share/unity/icons/**. Why this isn't under /usr/share/icons/unity instead, I don't know, but the access is harmless, so allow it. This is currently needed by the gallery - explicitly deny access to com.canonical.snapdecisions interface (LP: #1291234) * 1.*/friends: allow freedesktop.org notifications which is needed by the gallery app to show that a picture has been uploaded (LP: #1279969) * debian/control: Build-Depends on apparmor-easyprof since it is needed by the testsuite. This is needed because dh-apparmor now only Suggests apparmor-easyprof -- Jamie Strandboge Mon, 24 Mar 2014 17:20:42 -0500 apparmor-easyprof-ubuntu (1.1.9) trusty; urgency=medium * adjustments for Qt5.2 - 1.*/networking: like with other NetworkManager access, explicitly deny connecting to peer=(name=org.freedesktop.NetworkManager) * 1.1/content_exchange: deny 'w' on ~/.cache/@{APP_PKGNAME}/HubIncoming/**. The content-hub will create hard links in this directory for volatile data, but using hard links means the content source file could be modified by the app. This prevents that. (LP: #1293771) -- Jamie Strandboge Mon, 17 Mar 2014 15:04:33 -0500 apparmor-easyprof-ubuntu (1.1.8) trusty; urgency=medium * 1.*/ubuntu-sdk: allow accesses to workaround intel driver crash on X - allow read of /sys/devices/pci[0-9]*/**/uevent - allow read of /etc/udev/udev.conf - explicityly deny /run/udev/data/**, like we do elsewhere - LP: #1286162 -- Jamie Strandboge Wed, 05 Mar 2014 12:16:44 -0600 apparmor-easyprof-ubuntu (1.1.7) trusty; urgency=medium * 1.*/ubuntu-sdk: /usr/share/ubuntu-html5-theme moved to /usr/share/ubuntu-html5-ui-toolkit (LP: #1287297) -- Jamie Strandboge Mon, 03 Mar 2014 12:18:22 -0600 apparmor-easyprof-ubuntu (1.1.6) trusty; urgency=medium * add hardware/graphics.d/apparmor-easyprof-ubuntu_flo * update hardware/graphics.d/apparmor-easyprof-ubuntu_mako: allow read of /sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/gpuclk r, * 1.*/ubuntu-*: add read for /sys/devices/system/cpu/ -- Jamie Strandboge Sat, 22 Feb 2014 11:22:12 -0600 apparmor-easyprof-ubuntu (1.1.5) trusty; urgency=medium * 1.0/ubuntu-sdk: add read to qtdeclarative5-ubuntu-ui-extras-browser-plugin for applications that use UbuntuWebview (LP: #1280293) * 1.1/webview: add read to qtdeclarative5-ubuntu-ui-extras-browser-plugin. With 1.1 we will use oxide so all applications using UbuntuWebview will need to specify this policy group, so just add it here rather than the ubuntu-sdk template * adjust ubuntu-* templates to allow read to /usr/share/libthai/thbrk.tri as a temporary fix until the AppArmor fonts abstraction has the real fix (LP: #1278702) * 1.1/ubuntu-webapp: explicitly deny noicy read access to /sys/bus/ and /sys/class/ -- Jamie Strandboge Tue, 18 Feb 2014 09:00:55 -0600 apparmor-easyprof-ubuntu (1.1.4) trusty; urgency=medium * 1.*/ubuntu-sdk: adjust for ubuntu-html5-app-launcher (LP: #1274640) - allow reexec for /usr/bin/ubuntu-html5-app-launcher to handle HTML5 apps launched via upstart-app-launch - allow read access to /usr/share/ubuntu-html5-app-launcher/** * 1.*/accounts: - allow read on @{HOME}/.local/share/accounts/** to dereference click symlinks for online accounts providers (LP: #1278859) - add comment about usage of com.nokia.singlesignonui.cookiesForIdentity * 1.*/networking: finetune DownloadManager DBus access (LP: #1277578) - explicitly allow safe and explicitly disallow unsafe DownloadManager APIs - restrict apps to their own downloads * 1.*/ubuntu-webapp: allow the webapps access to SignonUi API for retrieving web cookies for an account (com.nokia.singlesignonui.cookiesForIdentity). This is being added to the ubuntu-webapp template instead of the accounts policy group because this API should only be available to the webapp container and is not needed to use online accounts in general (LP: #1278934) -- Jamie Strandboge Wed, 12 Feb 2014 09:20:58 -0600 apparmor-easyprof-ubuntu (1.1.3) trusty; urgency=medium * 1.1/webview: updates for oxide * 1.1/ubuntu-sdk: remove workaround policy for LP: #1197056 (cordova webview applications should not use ~/.local/share) * 1.*/ubuntu-sdk: all to receive Open on org.freedesktop.Application to allow UriHandler in the SDK to work with already running apps. Patch thanks to Ken Vandine. * implement autopkgtests - add debian/tests/control - add debian/tests/install_* - adjust debian/control for XS-Testsuite -- Jamie Strandboge Wed, 05 Feb 2014 16:54:26 -0500 apparmor-easyprof-ubuntu (1.1.2) trusty; urgency=medium * 1.*/ubuntu-* templates: allow ro access to /etc/xdg/QtProject/Sensors.conf (LP: #1267972) -- Jamie Strandboge Fri, 10 Jan 2014 13:39:00 -0600 apparmor-easyprof-ubuntu (1.1.1) trusty; urgency=medium * adjust policy for webapp-container (LP: #1267183) - 1.0/ubuntu-webapp template adds /usr/bin/webapp-container rmix since apps can currently only use ubuntu-sdk-13.10 framework - 1.1/ubuntu-webapp template replaces /usr/bin/webbrowser-app with /usr/bin/webapp-container since 1.1 policy will only be allowed with ubuntu-sdk-14.04 framework -- Jamie Strandboge Thu, 09 Jan 2014 07:53:56 -0600 apparmor-easyprof-ubuntu (1.1.0) trusty; urgency=medium * no change over last version except the minor version of the packaging version which I forgot to increment in the last upload -- Jamie Strandboge Fri, 20 Dec 2013 14:29:06 -0600 apparmor-easyprof-ubuntu (1.0.44) trusty; urgency=low * add ubuntu/1.1 policy, symlinking to 1.0 for things with no changes * adjust tests/test-data.py for 1.1 policy * add webview policy group for oxide * 1.*/ubuntu-* templates: - remove old comment about Click packages being installed in /opt - explicitly deny /run/shm/lttng-ust-* (LP: #1260491) - also allow /custom/xdg/data/themes (LP: #1261875) * 1.1/ubuntu-* templates: remove access to /tmp/mir_socket (LP: #1236912) * add hardware/graphics.d/apparmor-easyprof-ubuntu_goldfish -- Jamie Strandboge Fri, 20 Dec 2013 08:13:36 -0600 apparmor-easyprof-ubuntu (1.0.43) trusty; urgency=low * ubuntu-* templates: explicitly disable access to /dev/input/* (with audit) to ensure they aren't ever accidentally enabled * accounts: add policy for account change notifications and invoking the trusted helper (LP: #1245903) * ubuntu-* templates: also allow rw access to /sys/devices/virtual/timed_output/vibrator/enable -- Jamie Strandboge Thu, 21 Nov 2013 06:15:03 -0600 apparmor-easyprof-ubuntu (1.0.42) trusty; urgency=low * ubuntu-sdk template: - workaround non-app-specific cordova-ubuntu file accesses (LP: 1197056) - allow reexec for /usr/bin/cordova-ubuntu* to handle cordova apps launched via upstart-app-launch (LP: #1244655) -- Jamie Strandboge Fri, 25 Oct 2013 15:39:29 -0500 apparmor-easyprof-ubuntu (1.0.41) trusty; urgency=low * ubuntu-* templates: - allow rw access to /sys/class/timed_output/vibrator/enable (LP: #1241735) - comment on how NameHasOwner and GetNameOwner may leak information * networking: explicitly deny receive messages and signals from network manager and ofono in addition to send to silence denials for apps and libraries with too broad AddMatch calls * hardware/video.d: add hardware specific accesses for mako and maguro (LP: #1243198) * hardware/audio.d: add hardware specific accesses for mako * video: - include hardware/video.d - add /dev/ashmem * audio: add /dev/ashmem -- Jamie Strandboge Tue, 22 Oct 2013 07:37:43 -0500 apparmor-easyprof-ubuntu (1.0.40) saucy; urgency=low * unconfined template: updates for terminal app - due to AF_UNIX use attach_disconnected - allow mount, remount and umount -- Jamie Strandboge Tue, 15 Oct 2013 08:37:54 -0500 apparmor-easyprof-ubuntu (1.0.39) saucy; urgency=low * friends: add dbus receive to interface=com.canonical.Dee.Peer * ubuntu-* templates: - add 'r' for ~/.config/user-dirs.dirs - remove temporary vs-thumb /usr/share access now that it is fixed (LP: #1235325) * calendar: also allow CalendarView (LP: #1239073) -- Jamie Strandboge Sun, 13 Oct 2013 21:55:36 -0500 apparmor-easyprof-ubuntu (1.0.38) saucy; urgency=low * ubuntu-* templates: move /run/shm/hybris_shm_data access out of the camera policy group into the templates since a recent hybris change requires this in all apps (LP: #1237539) -- Jamie Strandboge Wed, 09 Oct 2013 12:47:53 -0500 apparmor-easyprof-ubuntu (1.0.37) saucy; urgency=low * hardware/graphics.d/apparmor-easyprof-ubuntu_grouper: allow 'rw' to /dev/knvmap (LP: #1237436) -- Jamie Strandboge Wed, 09 Oct 2013 09:29:56 -0500 apparmor-easyprof-ubuntu (1.0.36) saucy; urgency=low * ubuntu-* templates: - due to AF_UNIX use attach_disconnected and allow rw on /dev/socket/property_service (LP: #1208988) - add temporary workaround to use /tmp/mir_socket (LP: 1236912) -- Jamie Strandboge Tue, 08 Oct 2013 13:11:46 -0500 apparmor-easyprof-ubuntu (1.0.35) saucy; urgency=low * apparmor-easyprof-ubuntu.install: install data/hardware/*, thus allowing porters, OEMs, etc to ship their own policy without having to modify this package (LP: #1197133) * add data/hardware/graphics.d/* and data/hardware/audio.d/*, namespaced to this package. We will move these out to lxc-android-config later * tests/test-data.py: adjust to test data/hardware/* * accounts: move to reserved status until LP: 1230091 is fixed * calendar: remove workaround rule for gio DBus path (LP: #1227295) * add usermetrics policy group so apps can update the infographic * ubuntu-* templates: - allow StartServiceByName on the system bus too. This is needed by the new usermetrics policy group and we will presumably have more going forward (eg location) - account for /org/freedesktop/dbus object path. This seems to be used by the python DBus bindings (eg, friends) - move hardware specific accesses out of the templates into hardware/graphics.d/ in preparation of the move to shipping these in lxc-android-config (note, this doesn't change apparmor policy in any way) - add 'r' to dbus system bus socket (LP: #1208988) - add ixr access to thumbnailer helper (LP: #1234543) - finetune HUD access - don't use ibus abstraction but instead use 'r' access for owner @{HOME}/.config/ibus/** - don't use freedesktop.org abstraction but instead add read accesses for /usr/share/icons and various mime files - updates for new gstreamer - move in gstreamer accesses from audio policy groupd due to hybris * ubuntu-sdk template: - remove workaround paths now that ubuntu-ui-toolkit is using QCoreApplication::applicationName based on MainView's applicationName (LP: #1197056, #1197051, #1224126, LP: #1231863) * ubuntu-webapp template: - allow read access to /usr/share/unity-webapps/userscripts/** - allow rix to gst-plugin-scanner * add reserved friends policy group (reserved because it needs integration with trust-store to be used by untrusted apps) * remove peer from receive DBus rules in the ubuntu-* templates and the contacts, history, and location policy groups (LP: #1233895) * audio: - move gstreamer stuff out to templates since hybris pulls it in for all apps - include hardware/audio.d for hardware specific accesses -- Jamie Strandboge Mon, 07 Oct 2013 13:18:27 -0500 apparmor-easyprof-ubuntu (1.0.34) saucy; urgency=low * ubuntu-* templates: allow read access to themes in /custom (LP: #1229471) -- Jamie Strandboge Tue, 24 Sep 2013 10:27:02 -0500 apparmor-easyprof-ubuntu (1.0.33) saucy; urgency=low * ubuntu-webapp: allow reexec for webbrowser-app to handle webapps launched via upstart-app-launch (LP: #1228236) -- Jamie Strandboge Fri, 20 Sep 2013 11:46:35 -0500 apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low * accounts: - needs lock ('k') access to .config/libaccounts-glib/accounts.db and read access to .config/libaccounts-glib/accounts.db*. - read access to /usr/share/accounts/** - deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552) * refine audio policy group: - remove /tmp/ accesses now that TMPDIR is set by the sandbox - allow access to only the native socket (ie, disallow dbus-socket (only needed by pacmd), access to pid and the cli debugging socket) (LP: #1211380) - remove 'w' access to /{,var/}run/user/*/pulse/ - this should already exist when click apps run - remove /dev/binder, no longer needed now that we use audio HAL and pulseaudio - silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist * camera: - add rw for /dev/ashmem. This will go away when camera moves to HAL - rw /run/shm/hybris_shm_data - add read on /android/system/media/audio/ui/camera_click.ogg * connectivity: - add policy as used by QML's QtSystemInfo and also Qt's QHostAddress, QNetworkInterface - add commented out rules for ofono (LP: 1226844) * finalize content_exchange policy for the content-hub. We now have two different policy groups: content_exchange for requesting/importing data and content_exchange_source for providing/exporting data * microphone: - remove /dev/binder, no longer needed now that we use audio HAL and pulseaudio - add gstreamer and pulseaudio accesses and silence ALSA denials (we force pulseaudio). Eventually we should consolidate these and the ones in audio into a separate abstraction. * networking - explicitly deny access to NetworkManager. This technically should be needed at all, but depending on how apps connect, the lowlevel libraries get NM involved. Do the same for ofono - add access to the download manager (LP: #1227860) * video: add gstreamer accesses. Eventually we should consolidate these and the ones in audio into a gstreamer abstraction * add the following new reserved policy groups (reserved because they need integration with trust-store to be used by untrusted apps): - calendar - to access /org/gnome/evolution/dataserver/SourceManager, /org/gnome/evolution/dataserver/CalendarFactory and /org/gnome/evolution/dataserver/Calendar/** - contacts - to access com.canonical.pim and org.freedesktop.Telepathy. Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed - history - to access com.canonical.HistoryService * remove unused policy groups. This would normally constitute a new minor version, but no one is using these yet. When there is an API to use for this sort of thing, we can reintroduce them - read_connectivity_details - bluetooth (no supported Qt5 API for these per the SDK team) - nfc (no supported Qt5 API for these per the SDK team) * ubuntu* templates: - remove workaround HUD rule for DBus access to hud/applications/* now that the HUD is fixed. - allow connecting to dbus-daemon system daemon (org.freedesktop.DBus) for Hello, GetNameOwner, NameHasOwner, AddMatch and RemoveMatch which are all currently used when connecting to the network depending on the application API used. Allow the accesses to silence the denials: they are harmless and allows us to add more allow rules for other policy groups for system bus APIs down the line (as opposed to if we explicitly denied the accesses to org.freedesktop.DBus). - add more Nexus 7 accesses * ubuntu-sdk template: - remove workaround access for /tmp/*.sci now that TMPDIR is set (LP: #1197047) - remove workaround access for /var/tmp/etilqs_* now that TMPDIR is set (LP: #1197049) - add support for HTC vision thanks to Florian Will (LP: #1214975) * ubuntu-webapp template: use only application specific directories rather then the global webbrowser-app one (LP: #1226085) * debian/rules: enable tests during build * debian/control: Build-Depends on python3-minimal (for tests) * apparmor-easyprof-ubuntu.postinst: run aa-clickhook -f if it is available -- Jamie Strandboge Wed, 18 Sep 2013 15:06:15 -0500 apparmor-easyprof-ubuntu (1.0.31) saucy; urgency=low * ubuntu-* templates: allow unconditional access to the DispatchURL API from com.canonical.URLDispatcher * ubuntu-sdk template: add another temporary workaround for non-app-specific path for qtdeclarative5-u1db1.0 (see LP: 1224126 for details) -- Jamie Strandboge Wed, 11 Sep 2013 16:36:01 -0500 apparmor-easyprof-ubuntu (1.0.30) saucy; urgency=low * update location policy group to allow connections to location service on the system bus (LP: #1223211). This will need to be updated once the trust-store is implemented (that is tracked in LP: 1223371) * move ubuntu-webapp-experimental to ubuntu-webapp * ubuntu-* templates: clarify comments on XDG base dirs -- Jamie Strandboge Tue, 10 Sep 2013 08:49:06 -0500 apparmor-easyprof-ubuntu (1.0.29) saucy; urgency=low * add 'Usage' meta information to all policy groups * music_files*, picture_files*, video_files*: update the descriptions for these policy groups and mark them as reserved * debian/README.Debian: update for the above -- Jamie Strandboge Thu, 05 Sep 2013 09:31:33 -0500 apparmor-easyprof-ubuntu (1.0.28) saucy; urgency=low * accounts policy group: allow read access to accounts.db (LP: #1220552) * audio policy group: allow a few more pulseaudio accesses (LP: #1220552) * ubuntu-sdk template: allow read access to gschemas.compiled (LP: #1218655) -- Jamie Strandboge Wed, 04 Sep 2013 08:34:33 -0500 apparmor-easyprof-ubuntu (1.0.27) saucy; urgency=low * ubuntu-* template: update HUD access -- Jamie Strandboge Tue, 03 Sep 2013 11:18:37 -0500 apparmor-easyprof-ubuntu (1.0.26) saucy; urgency=low * ubuntu-* template: allow accesses to /android/vendor/lib (LP: #1219885) -- Jamie Strandboge Tue, 03 Sep 2013 09:38:03 -0500 apparmor-easyprof-ubuntu (1.0.25) saucy; urgency=low * accounts, location, content_exchange: uncomment DBus rules now that apparmor_parser supports them * ubuntu-sdk: - deny QtWebPluginProcess for now - simplify workaround access for webkit webviews * ubuntu-*: fix HUD accesses -- Jamie Strandboge Fri, 30 Aug 2013 16:10:53 -0500 apparmor-easyprof-ubuntu (1.0.24) saucy; urgency=low * ubuntu-* template: adjust HUD rule to use @{APP_ID_DBUS} * debian/control: Depends on apparmor (>= 2.8.0-0ubuntu26) which is first to support variables in DBus rules -- Jamie Strandboge Thu, 29 Aug 2013 21:53:36 -0500 apparmor-easyprof-ubuntu (1.0.23) saucy; urgency=low * ubuntu-sdk template: another update for HUD DBus rules * add preliminary ubuntu-webapp-experimental template -- Jamie Strandboge Thu, 29 Aug 2013 14:36:17 -0500 apparmor-easyprof-ubuntu (1.0.22) saucy; urgency=low * ubuntu-sdk template: - add rk for gnome/index.theme - add DBus rule for maliit - add DBus rules for com.canonical.Shell.BottomBarVisibilityCommunicator - update HUD DBus rules -- Jamie Strandboge Thu, 29 Aug 2013 08:23:39 -0500 apparmor-easyprof-ubuntu (1.0.21) saucy; urgency=low * unconfined template: add access to DBus * ubuntu-sdk template: preliminary DBus rules * debian/control: update to Depends on apparmor 2.8.0-0ubuntu25, the first version of apparmor that supports DBus rules -- Jamie Strandboge Wed, 28 Aug 2013 16:24:52 -0500 apparmor-easyprof-ubuntu (1.0.20) saucy; urgency=low * ubuntu-sdk template: allow accesses to /android/system/lib -- Jamie Strandboge Wed, 28 Aug 2013 10:22:32 -0500 apparmor-easyprof-ubuntu (1.0.19) saucy; urgency=low * ubuntu-sdk template: simply the accesses to the QML OfflineStorage. These rules are temporary and the old ones slowed down the parser -- Jamie Strandboge Fri, 23 Aug 2013 16:59:52 -0500 apparmor-easyprof-ubuntu (1.0.18) saucy; urgency=low * ubuntu-sdk template: allow accesses for cordova (PhoneGap) -- Jamie Strandboge Fri, 23 Aug 2013 13:58:30 -0500 apparmor-easyprof-ubuntu (1.0.17) saucy; urgency=low * ubuntu-sdk template: - add note on info leaks via /proc until we get the kernel vars -- Jamie Strandboge Fri, 16 Aug 2013 12:27:16 -0500 apparmor-easyprof-ubuntu (1.0.16) saucy; urgency=low * rename data_exchange policy group to content_exchange. This would normally constitute a new minor version, but no one is using these yet * ubuntu-sdk template: - add a couple PROC accesses for desktop systems - add /usr/bin/qtchooser rmix for launching under upstart - add device specific access for desktop nvidia users (LP: #1212425) - adjust to use /{,var/}run/user/*/confined/@{APPNAME} instead of /{,var/}run/user/*/@{APPNAME} -- Jamie Strandboge Wed, 14 Aug 2013 13:56:04 -0500 apparmor-easyprof-ubuntu (1.0.15) saucy; urgency=low * ubuntu-sdk template: - remove redundant library access - add device specific access for manta (LP: #1211055) -- Jamie Strandboge Wed, 14 Aug 2013 13:46:01 -0500 apparmor-easyprof-ubuntu (1.0.14) saucy; urgency=low * audio policy group: - adjust to enforce pulseaudio, and clean up comments for for gstreamer - generalize gsreamer access a bit * ubuntu-sdk template: - adjust template to use /{,var/}run/user/*/confined/@{APPNAME}/ to avoid potential name conflicts and info disclosure of running apps - remove stray gstreamer access that is now in audio -- Jamie Strandboge Mon, 12 Aug 2013 10:59:19 -0500 apparmor-easyprof-ubuntu (1.0.13) saucy; urgency=low * update audio, camera and video for desktop systems * ubuntu-sdk template - remove libhybris change in 1.0.12. After studying the architecture, this provides no security benefit - add note on binder * move /dev/binder accesses out to each policy group that requires them. These will be removed as the migration to HAL is performed (see LP 1197134 for details) -- Jamie Strandboge Fri, 09 Aug 2013 15:02:57 -0500 apparmor-easyprof-ubuntu (1.0.12) saucy; urgency=low * update ubuntu-sdk template for libhybris. We will allow loading various android libraries except those associated with our policy group permissions for audio, camera, gps, microphone, sensors and video. Ideally we'll have a cleaner way of handling this in the future, but it works for now. * add initial set of supported policy groups: - accounts (commented out DBus rules) - audio - bluetooth (empty) - camera - connectivity (empty) - data_exchange (commented out DBus rules) - location (commented out DBus rules) - microphone - music_files - music_files_read - networking - nfc (empty) - picture_files - picture_files_read - read_connectivity_details (empty) - sensors (empty) - video - video_files - video_files_read -- Jamie Strandboge Thu, 01 Aug 2013 16:58:23 -0500 apparmor-easyprof-ubuntu (1.0.11) saucy; urgency=low * update ubuntu-sdk to have policy for standard locations for XDG_CONFIG_HOME and XDG_RUNTIME_DIR too -- Jamie Strandboge Wed, 31 Jul 2013 14:22:07 -0500 apparmor-easyprof-ubuntu (1.0.10) saucy; urgency=low * update ubuntu-sdk template for future paths: - reorganize and remove two redundant rules - allow mrwkl to @{HOME}/.cache/@{APPNAME}/** - allow mrwklix to @{HOME}/.local/share/@{APPNAME}/** ('ix' supports downloadable content) -- Jamie Strandboge Wed, 31 Jul 2013 08:49:10 -0500 apparmor-easyprof-ubuntu (1.0.9) saucy; urgency=low * update ubuntu-sdk template: - for mako - write to /sys/kernel/debug/tracing/trace_marker -- Jamie Strandboge Wed, 24 Jul 2013 09:11:36 -0500 apparmor-easyprof-ubuntu (1.0.8) saucy; urgency=low * update ubuntu-sdk template to use @{CLICK_DIR} -- Jamie Strandboge Thu, 18 Jul 2013 15:22:55 -0500 apparmor-easyprof-ubuntu (1.0.7) saucy; urgency=low * update ubuntu-sdk to allow 'mklix' in addition to 'r' in the install directory -- Jamie Strandboge Wed, 17 Jul 2013 09:37:45 -0500 apparmor-easyprof-ubuntu (1.0.6) saucy; urgency=low * update ubuntu-sdk template for maguro * add tests/test-data.py (not yet enabled in the build) -- Jamie Strandboge Fri, 12 Jul 2013 08:28:09 -0500 apparmor-easyprof-ubuntu (1.0.5) saucy; urgency=low * update for UTIK to ubuntu-ui-toolkit path change -- Jamie Strandboge Thu, 11 Jul 2013 15:33:33 -0500 apparmor-easyprof-ubuntu (1.0.4) saucy; urgency=low * add 'unconfined' template to support special-cased apps that should not run under confinement. This template should not normally be used and any app using it will require manual review. -- Jamie Strandboge Thu, 11 Jul 2013 13:04:57 -0500 apparmor-easyprof-ubuntu (1.0.3) saucy; urgency=low * Simplify templates and policy groups. Policy groups should all be optional. This makes it easier for the SDK to consume - collapse templates into the ubuntu-sdk template - move sdk-base and qmlscene* policy into ubuntu-sdk template -- Jamie Strandboge Fri, 05 Jul 2013 16:01:08 -0500 apparmor-easyprof-ubuntu (1.0.2) saucy; urgency=low * add sdk-base policy group (based on apparmor's ubuntu-sdk-base) - use 'owner' with @{PROC}/cmdline - move gst-plugin-scanner to qmlscene-webview - deny accesses to /dev/log_* (LP: #1197124) - add bug reference for /dev/binder - deny access to /dev/cpuctl/apps/tasks and /dev/cpuctl/apps/bg_non_interactive/tasks * adjust qmlscene to have 'owner "@{HOME}/.local/share/Qt Project/" w,' -- Jamie Strandboge Wed, 03 Jul 2013 17:21:09 -0500 apparmor-easyprof-ubuntu (1.0.1) saucy; urgency=low * Update templates and policy groups with bug references for various FIXMEs -- Jamie Strandboge Tue, 02 Jul 2013 12:42:08 -0500 apparmor-easyprof-ubuntu (1.0.0) saucy; urgency=low * Initial release -- Jamie Strandboge Fri, 28 Jun 2013 07:50:18 -0500 apparmor-easyprof-ubuntu-1.1.16/debian/rules0000775000000000000000000000023712215737344015773 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ override_dh_auto_test: ./tests/test-data.py apparmor-easyprof-ubuntu-1.1.16/debian/copyright0000664000000000000000000000206112162661615016641 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: apparmor-easyprof-ubuntu Upstream-Contact: Jamie Strandboge Source: https://launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu Files: * Copyright: 2013 Canonical Ltd. License: GPL-2 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. . On Debian systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-2'. apparmor-easyprof-ubuntu-1.1.16/debian/apparmor-easyprof-ubuntu.postinst0000664000000000000000000000023012215741055023472 0ustar #!/bin/sh -e set -e if [ "$1" = "configure" ] && which aa-clickhook >/dev/null 2>&1; then echo "(may take a while)" aa-clickhook -f || true fi apparmor-easyprof-ubuntu-1.1.16/debian/README.Debian0000664000000000000000000000237512212112700016735 0ustar apparmor-easyprof-ubuntu ------------------------ This package install Ubuntu-specific policygroups and templates for easyprof in /usr/share/apparmor/easyprof/policygroups// /usr/share/apparmor/easyprof/templates// For example, in Ubuntu we have: /usr/share/apparmor/easyprof/policygroups/ubuntu/1.0 /usr/share/apparmor/easyprof/templates/ubuntu/1.0 To use with aa-easyprof, either specify on the command line the arguments '--policy-vendor= --policy-version=' or use in the security section of the JSON manifest file: ... "policy_version": "", "policy_vendor": ""', ... Usage ----- Policy groups fall under different usage categories with most being available to all common application use cases. Some policy groups are 'reserved' for certain applications and their use may flag the application for review. Each policy group contains meta-information at the top of the file: # Description: this is a description of the policy group. Typically they are # short and on one line, but may continue on multiple lines. If a policy # group is reserved, it should be explained in the description. # Usage: common|reserved -- Jamie Strandboge Thu, 05 Sep 2013 09:31:02 -0500 apparmor-easyprof-ubuntu-1.1.16/debian/apparmor-easyprof-ubuntu.install0000664000000000000000000000024312222340462023254 0ustar data/templates/* /usr/share/apparmor/easyprof/templates data/policygroups/* /usr/share/apparmor/easyprof/policygroups data/hardware/* /usr/share/apparmor/hardware apparmor-easyprof-ubuntu-1.1.16/tests/0000775000000000000000000000000012274256017014627 5ustar apparmor-easyprof-ubuntu-1.1.16/tests/test-data.py0000775000000000000000000001756412252377675017121 0ustar #!/usr/bin/python3 # Author: Jamie Strandboge # Copyright (C) 2013 Canonical Ltd. # # This script is distributed under the terms and conditions of the GNU General # Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html # for details. from __future__ import print_function import glob import json import os import shutil import subprocess import sys import tempfile import unittest topdir = None debugging = False def recursive_rm(dirPath, contents_only=False): '''recursively remove directory''' names = os.listdir(dirPath) for name in names: path = os.path.join(dirPath, name) if os.path.islink(path) or not os.path.isdir(path): os.unlink(path) else: recursive_rm(path) if contents_only == False: os.rmdir(dirPath) def cmd(command): '''Try to execute the given command.''' try: sp = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True) except OSError as ex: return [127, str(ex)] out = sp.communicate()[0] return [sp.returncode, str(out)] def debug(s): global debugging if not debugging: return print("DEBUG: %s" % s) class T(unittest.TestCase): def setUp(self): '''Setup for tests''' global topdir self.data_dir = os.path.join(topdir, 'data') self.tmpdir = tempfile.mkdtemp(prefix='test-aa-easyprof-ubuntu') shutil.copytree(os.path.join(self.data_dir, 'templates'), \ os.path.join(self.tmpdir, 'templates')) shutil.copytree(os.path.join(self.data_dir, 'policygroups'), \ os.path.join(self.tmpdir, 'policygroups')) hardware_dir = os.path.join(self.tmpdir, 'apparmor-easyprof-ubuntu_hardware') shutil.copytree(os.path.join(self.data_dir, 'hardware'), hardware_dir) self.security = dict() self.security['profiles'] = dict() self.name = "com.ubuntu.testme" self.version = "0.1" self.profile_name = "%s_testme.desktop_%s" % (self.name, self.version) # create a profile p = dict() p['policy_version'] = 1.0 p['policy_vendor'] = "ubuntu" p['policy_groups'] = [] p['template_variables'] = dict() p['template_variables']['APPNAME'] = self.name p['template_variables']['APPVERSION'] = self.version p['template_variables']['CLICK_DIR'] = '/opt/click.ubuntu.com' self.security['profiles'][self.profile_name] = p # Update the templates to use the location of the temporary directory # for hardware-specific accesses rather than the system one, so we can # test them for vendor_dir in glob.glob("%s/templates/*" % self.tmpdir): for version_dir in glob.glob("%s/*" % vendor_dir): for template_fn in glob.glob("%s/*" % version_dir): rc, out = cmd(['sed', '-i', 's,/usr/share/apparmor/hardware/,%s/,g' % \ hardware_dir, template_fn]) self.assertTrue(rc == 0, "sed exited with error") def _add_policy_group(self, g, name=None): pn = self.profile_name if name is not None: pn = name if g not in self.security['profiles'][pn]['policy_groups']: self.security['profiles'][pn]['policy_groups'].append(g) def _del_policy_group(self, g, name=None): pn = self.profile_name if name is not None: pn = name if g in self.security['profiles'][pn]['policy_groups']: self.security['profiles'][pn]['policy_groups'].remove(g) def _update_template(self, t, name=None): pn = self.profile_name if name is not None: pn = name self.security['profiles'][pn]['template'] = t def tearDown(self): '''Clean up after each test_* function''' if os.path.exists(self.tmpdir): recursive_rm(self.tmpdir) def emit_json(self, manifest=None): '''Emit json''' m = dict() m['security'] = self.security if manifest: m['security'] = manifest return json.dumps(m, indent=2) def _easyprof(self): '''Run easyprof''' contents = self.emit_json() debug("\n" + contents) out_dir = os.path.join(self.tmpdir, "out") m = os.path.join(self.tmpdir, "manifest") open(m, 'w').write(contents) rc, out = cmd(['aa-easyprof', '--templates-dir=%s' % os.path.join(self.tmpdir, 'templates'), '--policy-groups-dir=%s' % os.path.join(self.tmpdir, 'policygroups'), '--manifest=%s' % m, '--output-directory=%s' % out_dir, ]) self.assertTrue(rc == 0, "aa-easyprof exited with error:\n%s\n%s\n[%d]" % (\ contents, out, rc) ) for fn in glob.glob("%s/*" % out_dir): debug(fn) debug("\n%s" % open(fn, 'r').read()) if os.path.exists(out_dir): recursive_rm(out_dir) def test_templates(self): '''Test templates''' debug("") for vendor_dir in glob.glob("%s/templates/*" % self.tmpdir): vendor = os.path.basename(vendor_dir) for version_dir in glob.glob("%s/*" % vendor_dir): version = os.path.basename(version_dir) self.security['profiles'][self.profile_name]\ ['policy_version'] = version for template_fn in glob.glob("%s/*" % version_dir): template = os.path.basename(template_fn) self._update_template(template) debug("%s/%s/%s" % (vendor, version, template)) self._easyprof() def test_policygroups(self): '''Test policygroups''' debug("") for vendor_dir in glob.glob("%s/policygroups/*" % self.tmpdir): vendor = os.path.basename(vendor_dir) for version_dir in glob.glob("%s/*" % vendor_dir): version = os.path.basename(version_dir) self.security['profiles'][self.profile_name]\ ['policy_version'] = version for group_fn in glob.glob("%s/*" % version_dir): group = os.path.basename(group_fn) self._add_policy_group(group) for template_fn in glob.glob("%s/templates/%s/%s/*" % (\ self.tmpdir, vendor, version)): template = os.path.basename(template_fn) self._update_template(template) debug("%s/%s/%s (%s)" % (vendor, version, group, template)) self._easyprof() self._del_policy_group(group) # # Main # if __name__ == '__main__': absfn = os.path.abspath(sys.argv[0]) topdir = os.path.dirname(os.path.dirname(absfn)) if len(sys.argv) > 1 and sys.argv[1] == '-d': debugging = True # run the tests suite = unittest.TestSuite() suite.addTest(unittest.TestLoader().loadTestsFromTestCase(T)) rc = unittest.TextTestRunner(verbosity=2).run(suite) found_parser = False for path in os.environ["PATH"].split(":"): if os.path.exists(path + "/" + "apparmor_parser"): found_parser = True break if not found_parser: print("WARN: could not find apparmor_parser. Policy syntax not verified") if not rc.wasSuccessful(): sys.exit(1) apparmor-easyprof-ubuntu-1.1.16/pending/0000775000000000000000000000000012216066032015101 5ustar apparmor-easyprof-ubuntu-1.1.16/pending/README0000664000000000000000000000020012216066016015753 0ustar Files in this directory are in various states of readiness, but none should be shipped yet, and that will be noted in the file. apparmor-easyprof-ubuntu-1.1.16/pending/policygroups/0000775000000000000000000000000012216066765017655 5ustar apparmor-easyprof-ubuntu-1.1.16/pending/policygroups/read_connectivity_details0000664000000000000000000000774412216066764025031 0ustar # Description: Read network connectivity details to enumerate access points, # fine grained network data, etc. Can access detailed information about # connections. Currently it use NetworkManager which will reveal MAC # addresses, SSIDs, etc. For now, don't allow this access because it reveals # to much. A future API may make this easier. # Usage: reserved # Allow the MAC. Perhaps this will be allowed in another policy group /sys/devices/**/net/*/address r, # MAC # NetworkManager accesses dbus (send) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.freedesktop.NetworkManager), dbus (send) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.NetworkManager), dbus (send) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=GetDevices peer=(name=org.freedesktop.NetworkManager), dbus (receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=PropertiesChanged peer=(name=org.freedesktop.DBus), # Get properties for all Devices dbus (send) bus=system path=/org/freedesktop/NetworkManager/Devices/* interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.freedesktop.NetworkManager), dbus (send) bus=system path=/org/freedesktop/NetworkManager/Devices/* interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.NetworkManager), # Wired dbus (receive) bus=system path=/org/freedesktop/NetworkManager/Devices/* interface=org.freedesktop.NetworkManager.Device.Wired member=PropertiesChanged peer=(name=org.freedesktop.DBus), # Wireless dbus (send) bus=system path=/org/freedesktop/NetworkManager/Devices/* interface=org.freedesktop.NetworkManager.Device.Wireless member=GetAccessPoints peer=(name=org.freedesktop.NetworkManager), dbus (receive) bus=system path=/org/freedesktop/NetworkManager/Devices/* interface=org.freedesktop.NetworkManager.Device.Wireless member=PropertiesChanged peer=(name=org.freedesktop.DBus), dbus (receive) bus=system path=/org/freedesktop/NetworkManager/Devices/* interface=org.freedesktop.NetworkManager.Device.Wireless member=AccessPointAdded peer=(name=org.freedesktop.DBus), dbus (receive) bus=system path=/org/freedesktop/NetworkManager/Devices/* interface=org.freedesktop.NetworkManager.Device.Wireless member=AccessPointRemoved peer=(name=org.freedesktop.DBus), # Access Points dbus (send) bus=system path=/org/freedesktop/NetworkManager/AccessPoint/* interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.freedesktop.NetworkManager), dbus (send) bus=system path=/org/freedesktop/NetworkManager/AccessPoint/* interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.NetworkManager), dbus (receive) bus=system path=/org/freedesktop/NetworkManager/AccessPoint/* interface=org.freedesktop.NetworkManager.AccessPoint member=PropertiesChanged peer=(name=org.freedesktop.DBus), # Active connections dbus (send) bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/* interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.freedesktop.NetworkManager), dbus (send) bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/* interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.NetworkManager), dbus (receive) bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/* interface=org.freedesktop.NetworkManager.Connection.Active member=PropertiesChanged peer=(name=org.freedesktop.DBus), apparmor-easyprof-ubuntu-1.1.16/data/0000775000000000000000000000000012222340475014371 5ustar apparmor-easyprof-ubuntu-1.1.16/data/hardware/0000775000000000000000000000000012231467122016165 5ustar apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/0000775000000000000000000000000012302162430020200 5ustar apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_surface-flinger0000664000000000000000000000014212222341340030243 0ustar # FIXME: LP: #1197134 - remove this once we migrate away from surface flinger /dev/binder rw, apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_grouper0000664000000000000000000000031312225264141026660 0ustar # Nexus7 (grouper) /dev/knvmap rw, /dev/nvmap rw, /dev/nvhost-* rw, /dev/tegra_sema rw, /dev/tegra_avpchannel rw, /sys/module/nvhost/parameters/* r, /sys/module/fuse/parameters/tegra* r, apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_goldfish0000664000000000000000000000005512255050207026776 0ustar # Emulator (goldfish) /dev/qemu_pipe rw, apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_manta0000664000000000000000000000007112302162430026270 0ustar # Nexus 10 (manta) /dev/mali[0-9] rw, /dev/ion rw, ././@LongLink0000644000000000000000000000014600000000000011604 Lustar rootrootapparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_htc-desire-z-visionapparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_htc-desire-z-visio0000664000000000000000000000014612222341027030622 0ustar # HTC Desire Z (vision) /dev/kgsl-2d0 rw, /dev/genlock rw, /sys/devices/system/soc/soc0/id r, apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_flo0000664000000000000000000000016012302156273025757 0ustar # Nexus 7 (flo) /dev/kgsl-3d0 rw, /dev/ion rw, /sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/gpuclk r, apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_maguro0000664000000000000000000000006712222341037026472 0ustar # Galaxy Nexus specific (maguro) /dev/pvrsrvkm rw, apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_mako0000664000000000000000000000016112302156371026126 0ustar # Nexus 4 (mako) /dev/kgsl-3d0 rw, /dev/ion rw, /sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/gpuclk r, apparmor-easyprof-ubuntu-1.1.16/data/hardware/graphics.d/apparmor-easyprof-ubuntu_nvidia0000664000000000000000000000070212222341071026444 0ustar # FIXME: nvidia (we could use the nvidia abstraction, but it needs ipc_lock # so lets avoid that for now. Note, ~/.nv/GLCache is used unless # __GL_SHADER_DISK_CACHE_PATH is set /dev/nvidia[0-9] rw, /dev/nvidiactl rw, deny @{HOME}/.nvidia/ rw, deny /tmp/gl* mrw, # nvidia does not honor TMPDIR when creating this, and # allowing this is too permissive, but it works without # it (LP: #1212425) apparmor-easyprof-ubuntu-1.1.16/data/hardware/video.d/0000775000000000000000000000000012231476176017526 5ustar apparmor-easyprof-ubuntu-1.1.16/data/hardware/video.d/apparmor-easyprof-ubuntu_maguro0000664000000000000000000000012312231476176026006 0ustar # Galaxy Nexus specific (maguro) /dev/rproc_user rw, /dev/rpmsg-omx[0-9] rw, apparmor-easyprof-ubuntu-1.1.16/data/hardware/video.d/apparmor-easyprof-ubuntu_mako0000664000000000000000000000010512231470005025424 0ustar # Nexus 4 (mako) /dev/msm_vidc_dec* rw, /dev/msm_vidc_enc* rw, apparmor-easyprof-ubuntu-1.1.16/data/hardware/audio.d/0000775000000000000000000000000012231467745017523 5ustar apparmor-easyprof-ubuntu-1.1.16/data/hardware/audio.d/apparmor-easyprof-ubuntu_grouper0000664000000000000000000000013112224632357026166 0ustar # Nexus7 (grouper) /dev/tegra_avpchannel rw, /sys/module/fuse/parameters/tegra* r, apparmor-easyprof-ubuntu-1.1.16/data/hardware/audio.d/apparmor-easyprof-ubuntu_mako0000664000000000000000000000007312231467745025444 0ustar # Nexus 4 (mako) /dev/msm_acdb rw, /dev/msm_rtac rw, apparmor-easyprof-ubuntu-1.1.16/data/templates/0000775000000000000000000000000012163322001016354 5ustar apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/0000775000000000000000000000000012252174715017716 5ustar apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.0/0000775000000000000000000000000012320025257020204 5ustar apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.0/ubuntu-sdk0000664000000000000000000003412712315310222022230 0ustar # # Example usage for an ubuntu-sdk app 'appname' # $ aa-easyprof --template=ubuntu-sdk \ # --profile-name=com.example.appname \ # -p networking \ # --template-var="@{APP_PKGNAME}=appname" \ # --template-var="@{APP_VERSION}=0.1" \ # "/usr/share/appname/**" # ###ENDUSAGE### # vim:syntax=apparmor #include ###VAR### ###PROFILEATTACH### (attach_disconnected) { #include #include # Temporary fix until LP: #1278702 is fixed in apparmor fonts abstraction /usr/share/libthai/thbrk.tri r, #include # Needed by native GL applications on Mir owner /{,var/}run/user/*/mir_socket rw, owner /tmp/mir_socket rw, # FIXME: LP: #1236912 # Hardware-specific accesses #include "/usr/share/apparmor/hardware/graphics.d" # # DBus rules common for all apps # # Allow connecting to session bus and where to connect to services dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the session bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Allow connecting to system bus and where to connect to services. Put these # here so we don't need to repeat these rules in multiple places (actual # communications with any system services is mediated elsewhere). This does # allow apps to brute-force enumerate system services, but our system # services aren't a secret. /{,var/}run/dbus/system_bus_socket rw, dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the system bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Unity shell dbus (send) bus=session path="/BottomBarVisibilityCommunicator" interface="org.freedesktop.DBus.{Introspectable,Properties}" peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator), dbus (receive) bus=session path="/BottomBarVisibilityCommunicator" interface="com.canonical.Shell.BottomBarVisibilityCommunicator", # Unity HUD dbus (send) bus=session path="/com/canonical/hud" interface="org.freedesktop.DBus.Properties" member="GetAll", dbus (send) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="RegisterApplication", dbus (receive, send) bus=session path=/com/canonical/hud/applications/@{APP_ID_DBUS}*, dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Start", dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="End", dbus (send) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Changed" peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member={DescribeAll,Activate}, dbus (send) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member=Changed peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/context_*" interface=org.gtk.Actions member="DescribeAll", dbus (receive) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="UpdatedQuery", dbus (receive) bus=session interface="com.canonical.hud.Awareness" member="CheckAwareness", # on screen keyboard (OSK) dbus (send) bus=session path="/org/maliit/server/address" interface="org.freedesktop.DBus.Properties" member=Get peer=(name=org.maliit.server), # URL dispatcher. All apps can call this since: # a) the dispatched application is launched out of process and not # controllable except via the specified URL # b) the list of url types is strictly controlled # c) the dispatched application will launch in the foreground over the # confined app dbus (send) bus=session path="/com/canonical/URLDispatcher" interface="com.canonical.URLDispatcher" member="DispatchURL", # This is needed when the app is already running and needs to be passed in # a URL to open. This is most often used with content-hub providers, but is # actually supported by Qt generally (though because we don't allow the send # a malicious app can't send this to another app). dbus (receive) bus=session path=/@{APP_ID_DBUS} interface="org.freedesktop.Application" member="Open", # TODO: finetune this dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # Deny potentially dangerous access deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**, audit deny dbus bus=session interface="com.canonical.snapdecisions", deny dbus (send) bus=session interface="org.gnome.GConf.Server", # # end DBus rules common for all apps # # Explicitly deny dangerous access audit deny /dev/input/** rw, # FIXME: ought to go in a dbus abstraction, but dbus-session is too loose /var/lib/dbus/machine-id r, # subset of GNOME stuff /{,custom/}usr/share/icons/** r, /{,custom/}usr/share/themes/** r, /custom/xdg/data/themes/** r, /etc/pango/* r, /usr/lib{,32,64}/pango/** mr, /usr/lib/@{multiarch}/pango/** mr, /usr/share/icons/*/index.theme rk, /usr/share/unity/icons/** r, # ibus read accesses /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr, owner @{HOME}/.config/ibus/ r, owner @{HOME}/.config/ibus/bus/ r, owner @{HOME}/.config/ibus/bus/* r, deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded # subset of freedesktop.org /usr/share/mime/** r, owner @{HOME}/.local/share/mime/** r, owner @{HOME}/.config/user-dirs.dirs r, /usr/share/glib*/schemas/gschemas.compiled r, # various /proc entries (be careful to not allow things that can be used to # enumerate installed apps-- this will be easier once we have a PID kernel # var in AppArmor) @{PROC}/interrupts r, owner @{PROC}/cmdline r, owner @{PROC}/[0-9]*/auxv r, owner @{PROC}/[0-9]*/fd/ r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/ r, owner @{PROC}/[0-9]*/task/[0-9]*/ r, # FIXME: this leaks running process. Is it actually required? AppArmor kernel # var could solve this owner @{PROC}/[0-9]*/cmdline r, # libhybris /{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific) /usr/lib/@{multiarch}/libhybris/*.so mr, /system/build.prop r, # These libraries can be in any of: # /vendor/lib # /system/lib # /system/vendor/lib # /android/vendor/lib # /android/system/lib # /android/system/vendor/lib /{,android/}vendor/lib/** r, /{,android/}vendor/lib/**.so m, /{,android/}system/lib/** r, /{,android/}system/lib/**.so m, /{,android/}system/vendor/lib/** r, /{,android/}system/vendor/lib/**.so m, # attach_disconnected path /dev/socket/property_service rw, # Android logging triggered by platform. Can safely deny # LP: #1197124 deny /dev/log_main w, deny /dev/log_radio w, deny /dev/log_events w, deny /dev/log_system w, # Lttng tracing. Can safely deny. LP: #1260491 deny /{,var/}run/shm/lttng-ust-* r, # TODO: investigate deny /dev/cpuctl/apps/tasks w, deny /dev/cpuctl/apps/bg_non_interactive/tasks w, /sys/devices/system/cpu/ r, /sys/kernel/debug/tracing/trace_marker w, # LP: #1286162 /etc/udev/udev.conf r, /sys/devices/pci[0-9]*/**/uevent r, # Not required, but noisy deny /run/udev/data/** r, # # thumbnailing helper # /usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr, deny @{HOME}/.cache/tncache-write-text.null w, # silence access test # FIXME: this leaks running process. AppArmor kernel var could solve this owner @{PROC}/[0-9]*/attr/current r, # # apps may always use vibrations # /sys/class/timed_output/vibrator/enable rw, /sys/devices/virtual/timed_output/vibrator/enable rw, # # apps may always use the accelerometer and orientation sensor # /etc/xdg/QtProject/Sensors.conf r, # # qmlscene # /usr/share/qtchooser/ r, /usr/share/qtchooser/** r, /usr/lib/@{multiarch}/qt5/bin/qmlscene ixr, owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk, audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w, # # cordova-ubuntu # /usr/share/cordova-ubuntu*/ r, /usr/share/cordova-ubuntu*/** r, # # ubuntu-html5-app-launcher # /usr/share/ubuntu-html5-app-launcher/ r, /usr/share/ubuntu-html5-app-launcher/** r, /usr/share/ubuntu-html5-theme/ r, /usr/share/ubuntu-html5-theme/** r, /usr/share/ubuntu-html5-ui-toolkit/ r, /usr/share/ubuntu-html5-ui-toolkit/** r, # Launching under upstart requires this /usr/bin/qtchooser rmix, /usr/bin/cordova-ubuntu* rmix, /usr/bin/ubuntu-html5-app-launcher rmix, # qmlscene webview /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r, # webbrowser-app, et al has a fallback mechanism that checks to see if files # in oxide's directory are readable. This explicit deny rule makes sure that # works correctly. deny /usr/lib/@{multiarch}/oxide-qt/** r, # TODO: investigate child profile /usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix, /usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix, # GStreamer binary registry - hybris pulls this in for everything now, not # just audio owner @{HOME}/.gstreamer*/registry.*.bin* r, deny @{HOME}/.gstreamer*/registry.*.bin* w, deny @{HOME}/.gstreamer*/ w, owner @{HOME}/.cache/gstreamer*/registry.*.bin* r, deny @{HOME}/.cache/gstreamer*/registry.*.bin* w, deny @{HOME}/.cache/gstreamer*/ w, # gstreamer writes JIT compiled code in the form of orcexec.* files. Various # locations are tried so silence the ones we won't permit anyway deny /tmp/orcexec* w, deny /{,var/}run/user/*/orcexec* w, deny @{HOME}/orcexec* w, /{,android/}system/etc/media_codecs.xml r, /etc/wildmidi/wildmidi.cfg r, # Don't allow plugins in webviews for now deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx, # cordova-ubuntu wants to runs lsb_release, which is a python program and we # don't want to give access to that. cordova-ubuntu will fallback to # examining /etc/lsb-release directly, which is ok. If needed, we can lift # the denial and ship a profile for lsb_release and add a Pxr rule deny /usr/bin/lsb_release rx, /etc/ r, /etc/lsb-release r, # # Application install dirs # # Click packages @{CLICK_DIR}/@{APP_PKGNAME}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, # Packages shipped as debs have their install directory in /usr/share /usr/share/@{APP_PKGNAME}/ r, /usr/share/@{APP_PKGNAME}/** mrklix, # # Application writable dirs # # FIXME: LP: #1197060 owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk, # FIXME: LP: #1197056 owner @{HOME}/.local/share/cordova-ubuntu-2.8/ rw, owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/ rw, owner @{HOME}/.local/share/cordova-ubuntu-2.8/.QtWebKit/** rwk, # Allow writes to various (application-specific) XDG directories owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix, owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl, ###ABSTRACTIONS### ###POLICYGROUPS### ###READS### ###WRITES### } apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.0/unconfined0000664000000000000000000000107512320025254022257 0ustar # # Example usage for an unconfined app 'appname'. This provides no protection # or configuration. # $ aa-easyprof --template=unconfined \ # --profile-name=com.example.appname \ # "/usr/share/appname/**" # ###ENDUSAGE### # vim:syntax=apparmor #include # TODO: when v3 userspace lands, use: # ###PROFILEATTACH### (unconfined) {} # v2 compatible wildly permissive profile ###PROFILEATTACH### (attach_disconnected) { capability, network, /** rwlkm, /** pix, mount, remount, umount, dbus, signal, ptrace, } apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.0/default0000777000000000000000000000000012162663415023602 2ubuntu-sdkustar apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.0/ubuntu-webapp0000664000000000000000000003231512315310305022724 0ustar # # Example usage for an ubuntu-webapp app 'appname' # $ aa-easyprof --template=ubuntu-webapp \ # --profile-name=com.example.appname \ # -p networking \ # --template-var="@{APP_PKGNAME}=appname" \ # --template-var="@{APP_VERSION}=0.1" \ # "/usr/share/appname/**" # ###ENDUSAGE### # vim:syntax=apparmor #include ###VAR### ###PROFILEATTACH### (attach_disconnected) { #include #include # Temporary fix until LP: #1278702 is fixed in apparmor fonts abstraction /usr/share/libthai/thbrk.tri r, #include # Needed by native GL applications on Mir owner /{,var/}run/user/*/mir_socket rw, owner /tmp/mir_socket rw, # FIXME: LP: #1236912 # Hardware-specific accesses #include "/usr/share/apparmor/hardware/graphics.d" # # DBus rules common for all webapps # # Allow connecting to session bus and where to connect to services dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the session bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Allow connecting to system bus and where to connect to services. Put these # here so we don't need to repeat these rules in multiple places (actual # communications with any system services is mediated elsewhere). This does # allow apps to brute-force enumerate system services, but our system # services aren't a secret. /{,var/}run/dbus/system_bus_socket rw, dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the system bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Unity shell dbus (send) bus=session path="/BottomBarVisibilityCommunicator" interface="org.freedesktop.DBus.{Introspectable,Properties}" peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator), dbus (receive) bus=session path="/BottomBarVisibilityCommunicator" interface="com.canonical.Shell.BottomBarVisibilityCommunicator", # Unity HUD dbus (send) bus=session path="/com/canonical/hud" interface="org.freedesktop.DBus.Properties" member="GetAll", dbus (send) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="RegisterApplication", dbus (receive, send) bus=session path=/com/canonical/hud/applications/@{APP_ID_DBUS}*, dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Start", dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="End", dbus (send) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Changed" peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member={DescribeAll,Activate}, dbus (send) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member=Changed peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/context_*" interface=org.gtk.Actions member="DescribeAll", dbus (receive) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="UpdatedQuery", dbus (receive) bus=session interface="com.canonical.hud.Awareness" member="CheckAwareness", # on screen keyboard (OSK) dbus (send) bus=session path="/org/maliit/server/address" interface="org.freedesktop.DBus.Properties" member=Get peer=(name=org.maliit.server), # URL dispatcher. All apps can call this since: # a) the dispatched application is launched out of process and not # controllable except via the specified URL # b) the list of url types is strictly controlled # c) the dispatched application will launch in the foreground over the # confined app dbus (send) bus=session path="/com/canonical/URLDispatcher" interface="com.canonical.URLDispatcher" member="DispatchURL", # TODO: finetune this dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # Deny potentially dangerous access deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**, audit deny dbus bus=session interface="com.canonical.snapdecisions", deny dbus (send) bus=session interface="org.gnome.GConf.Server", # # end DBus rules common for all webapps # # Explicitly deny dangerous access audit deny /dev/input/** rw, # FIXME: ought to go in a dbus abstraction, but dbus-session is too loose /var/lib/dbus/machine-id r, # subset of GNOME stuff /{,custom/}usr/share/icons/** r, /{,custom/}usr/share/themes/** r, /custom/xdg/data/themes/** r, /etc/pango/* r, /usr/lib{,32,64}/pango/** mr, /usr/lib/@{multiarch}/pango/** mr, /usr/share/icons/*/index.theme rk, /usr/share/unity/icons/** r, # ibus read accesses /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr, owner @{HOME}/.config/ibus/ r, owner @{HOME}/.config/ibus/bus/ r, owner @{HOME}/.config/ibus/bus/* r, deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded # subset of freedesktop.org /usr/share/mime/** r, owner @{HOME}/.local/share/mime/** r, owner @{HOME}/.config/user-dirs.dirs r, # various /proc entries (be careful to not allow things that can be used to # enumerate installed apps-- this will be easier once we have a PID kernel # var in AppArmor) @{PROC}/interrupts r, owner @{PROC}/cmdline r, owner @{PROC}/[0-9]*/auxv r, owner @{PROC}/[0-9]*/fd/ r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/ r, owner @{PROC}/[0-9]*/task/[0-9]*/ r, # FIXME: this leaks running process. Is it actually required? AppArmor kernel # var could solve this owner @{PROC}/[0-9]*/cmdline r, # libhybris /{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific) /usr/lib/@{multiarch}/libhybris/*.so mr, /system/build.prop r, # These libraries can be in any of: # /vendor/lib # /system/lib # /system/vendor/lib # /android/vendor/lib # /android/system/lib # /android/system/vendor/lib /{,android/}vendor/lib/** r, /{,android/}vendor/lib/**.so m, /{,android/}system/lib/** r, /{,android/}system/lib/**.so m, /{,android/}system/vendor/lib/** r, /{,android/}system/vendor/lib/**.so m, # attach_disconnected path /dev/socket/property_service rw, # Android logging triggered by platform. Can safely deny # LP: #1197124 deny /dev/log_main w, deny /dev/log_radio w, deny /dev/log_events w, deny /dev/log_system w, # Lttng tracing. Can safely deny. LP: #1260491 deny /{,var/}run/shm/lttng-ust-* r, # TODO: investigate deny /dev/cpuctl/apps/tasks w, deny /dev/cpuctl/apps/bg_non_interactive/tasks w, /sys/devices/system/cpu/ r, /sys/kernel/debug/tracing/trace_marker w, # LP: #1286162 /etc/udev/udev.conf r, /sys/devices/pci[0-9]*/**/uevent r, # Not required, but noisy deny /run/udev/data/** r, # # thumbnailing helper # /usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr, deny @{HOME}/.cache/tncache-write-text.null w, # silence access test # FIXME: this leaks running process. AppArmor kernel var could solve this owner @{PROC}/[0-9]*/attr/current r, # # apps may always use vibrations # /sys/class/timed_output/vibrator/enable rw, /sys/devices/virtual/timed_output/vibrator/enable rw, # # apps may always use the accelerometer and orientation sensor # /etc/xdg/QtProject/Sensors.conf r, # # qmlscene # /usr/share/qtchooser/ r, /usr/share/qtchooser/** r, /usr/lib/@{multiarch}/qt5/bin/qmlscene ixr, owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk, audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w, # # webbrowser-app # /usr/share/webbrowser-app/ r, /usr/share/webbrowser-app/** r, /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r, # TODO: investigate child profile /usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix, /usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix, # webbrowser-app, et al has a fallback mechanism that checks to see if files # in oxide's directory are readable. This explicit deny rule makes sure that # works correctly. deny /usr/lib/@{multiarch}/oxide-qt/** r, # Special API for the webapp-container to prepopulate the webapp's cookie jar # with online accounts' cookie for the account of the site of the webapp dbus (receive, send) bus=session interface=com.nokia.singlesignonui member=cookiesForIdentity, # GStreamer binary registry - hybris pulls this in for everything now, not # just audio owner @{HOME}/.gstreamer*/registry.*.bin* r, deny @{HOME}/.gstreamer*/registry.*.bin* w, deny @{HOME}/.gstreamer*/ w, owner @{HOME}/.cache/gstreamer*/registry.*.bin* r, deny @{HOME}/.cache/gstreamer*/registry.*.bin* w, deny @{HOME}/.cache/gstreamer*/ w, # gstreamer writes JIT compiled code in the form of orcexec.* files. Various # locations are tried so silence the ones we won't permit anyway deny /tmp/orcexec* w, deny /{,var/}run/user/*/orcexec* w, deny @{HOME}/orcexec* w, /{,android/}system/etc/media_codecs.xml r, /etc/wildmidi/wildmidi.cfg r, # system user scripts /usr/share/unity-webapps/userscripts/ r, /usr/share/unity-webapps/userscripts/** r, # Don't allow plugins in webapps for now deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx, # Launching under upstart requires this /usr/bin/webbrowser-app rmix, # FIXME: workaround since ubuntu-sdk-14.04 is not defined yet and apps can # only use ubuntu-sdk-13.10 /usr/bin/webapp-container rmix, # # Application install dirs # # Click packages @{CLICK_DIR}/@{APP_PKGNAME}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, # Packages shipped as debs have their install directory in /usr/share /usr/share/@{APP_PKGNAME}/ r, /usr/share/@{APP_PKGNAME}/** mrklix, # # Application writable dirs # # FIXME: LP: #1197060 owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk, # Allow writes to various (application-specific) XDG directories owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix, owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl, ###ABSTRACTIONS### ###POLICYGROUPS### ###READS### ###WRITES### } apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.1/0000775000000000000000000000000012320025405020200 5ustar apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.1/ubuntu-sdk0000664000000000000000000003273212314313213022233 0ustar # # Example usage for an ubuntu-sdk app 'appname' # $ aa-easyprof --template=ubuntu-sdk \ # --profile-name=com.example.appname \ # -p networking \ # --template-var="@{APP_PKGNAME}=appname" \ # --template-var="@{APP_VERSION}=0.1" \ # "/usr/share/appname/**" # ###ENDUSAGE### # vim:syntax=apparmor #include ###VAR### ###PROFILEATTACH### (attach_disconnected) { #include #include # Temporary fix until LP: #1278702 is fixed in apparmor fonts abstraction /usr/share/libthai/thbrk.tri r, #include # Needed by native GL applications on Mir owner /{,var/}run/user/*/mir_socket rw, # Hardware-specific accesses #include "/usr/share/apparmor/hardware/graphics.d" # # DBus rules common for all apps # # Allow connecting to session bus and where to connect to services dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the session bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Allow connecting to system bus and where to connect to services. Put these # here so we don't need to repeat these rules in multiple places (actual # communications with any system services is mediated elsewhere). This does # allow apps to brute-force enumerate system services, but our system # services aren't a secret. /{,var/}run/dbus/system_bus_socket rw, dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the system bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Unity shell dbus (send) bus=session path="/BottomBarVisibilityCommunicator" interface="org.freedesktop.DBus.{Introspectable,Properties}" peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator), dbus (receive) bus=session path="/BottomBarVisibilityCommunicator" interface="com.canonical.Shell.BottomBarVisibilityCommunicator", # Unity HUD dbus (send) bus=session path="/com/canonical/hud" interface="org.freedesktop.DBus.Properties" member="GetAll", dbus (send) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="RegisterApplication", dbus (receive, send) bus=session path=/com/canonical/hud/applications/@{APP_ID_DBUS}*, dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Start", dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="End", dbus (send) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Changed" peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member={DescribeAll,Activate}, dbus (send) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member=Changed peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/context_*" interface=org.gtk.Actions member="DescribeAll", dbus (receive) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="UpdatedQuery", dbus (receive) bus=session interface="com.canonical.hud.Awareness" member="CheckAwareness", # on screen keyboard (OSK) dbus (send) bus=session path="/org/maliit/server/address" interface="org.freedesktop.DBus.Properties" member=Get peer=(name=org.maliit.server), # URL dispatcher. All apps can call this since: # a) the dispatched application is launched out of process and not # controllable except via the specified URL # b) the list of url types is strictly controlled # c) the dispatched application will launch in the foreground over the # confined app dbus (send) bus=session path="/com/canonical/URLDispatcher" interface="com.canonical.URLDispatcher" member="DispatchURL", # This is needed when the app is already running and needs to be passed in # a URL to open. This is most often used with content-hub providers, but is # actually supported by Qt generally (though because we don't allow the send # a malicious app can't send this to another app). dbus (receive) bus=session path=/@{APP_ID_DBUS} interface="org.freedesktop.Application" member="Open", # TODO: finetune this dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # Deny potentially dangerous access deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**, audit deny dbus bus=session interface="com.canonical.snapdecisions", deny dbus (send) bus=session interface="org.gnome.GConf.Server", # # end DBus rules common for all apps # # Explicitly deny dangerous access audit deny /dev/input/** rw, # FIXME: ought to go in a dbus abstraction, but dbus-session is too loose /var/lib/dbus/machine-id r, # subset of GNOME stuff /{,custom/}usr/share/icons/** r, /{,custom/}usr/share/themes/** r, /custom/xdg/data/themes/** r, /etc/pango/* r, /usr/lib{,32,64}/pango/** mr, /usr/lib/@{multiarch}/pango/** mr, /usr/share/icons/*/index.theme rk, /usr/share/unity/icons/** r, # ibus read accesses /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr, owner @{HOME}/.config/ibus/ r, owner @{HOME}/.config/ibus/bus/ r, owner @{HOME}/.config/ibus/bus/* r, deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded # subset of freedesktop.org /usr/share/mime/** r, owner @{HOME}/.local/share/mime/** r, owner @{HOME}/.config/user-dirs.dirs r, /usr/share/glib*/schemas/gschemas.compiled r, # various /proc entries (be careful to not allow things that can be used to # enumerate installed apps-- this will be easier once we have a PID kernel # var in AppArmor) @{PROC}/interrupts r, owner @{PROC}/cmdline r, owner @{PROC}/[0-9]*/auxv r, owner @{PROC}/[0-9]*/fd/ r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/ r, owner @{PROC}/[0-9]*/task/[0-9]*/ r, # FIXME: this leaks running process. Is it actually required? AppArmor kernel # var could solve this owner @{PROC}/[0-9]*/cmdline r, # libhybris /{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific) /usr/lib/@{multiarch}/libhybris/*.so mr, /system/build.prop r, # These libraries can be in any of: # /vendor/lib # /system/lib # /system/vendor/lib # /android/vendor/lib # /android/system/lib # /android/system/vendor/lib /{,android/}vendor/lib/** r, /{,android/}vendor/lib/**.so m, /{,android/}system/lib/** r, /{,android/}system/lib/**.so m, /{,android/}system/vendor/lib/** r, /{,android/}system/vendor/lib/**.so m, # attach_disconnected path /dev/socket/property_service rw, # Android logging triggered by platform. Can safely deny # LP: #1197124 deny /dev/log_main w, deny /dev/log_radio w, deny /dev/log_events w, deny /dev/log_system w, # Lttng tracing. Can safely deny. LP: #1260491 deny /{,var/}run/shm/lttng-ust-* r, # TODO: investigate deny /dev/cpuctl/apps/tasks w, deny /dev/cpuctl/apps/bg_non_interactive/tasks w, /sys/devices/system/cpu/ r, /sys/kernel/debug/tracing/trace_marker w, # LP: #1286162 /etc/udev/udev.conf r, /sys/devices/pci[0-9]*/**/uevent r, # Not required, but noisy deny /run/udev/data/** r, # # thumbnailing helper # /usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr, deny @{HOME}/.cache/tncache-write-text.null w, # silence access test # FIXME: this leaks running process. AppArmor kernel var could solve this owner @{PROC}/[0-9]*/attr/current r, # # apps may always use vibrations # /sys/class/timed_output/vibrator/enable rw, /sys/devices/virtual/timed_output/vibrator/enable rw, # # apps may always use the accelerometer and orientation sensor # /etc/xdg/QtProject/Sensors.conf r, # # qmlscene # /usr/share/qtchooser/ r, /usr/share/qtchooser/** r, /usr/lib/@{multiarch}/qt5/bin/qmlscene ixr, owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk, audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w, # # cordova-ubuntu # /usr/share/cordova-ubuntu*/ r, /usr/share/cordova-ubuntu*/** r, # # ubuntu-html5-app-launcher # /usr/share/ubuntu-html5-app-launcher/ r, /usr/share/ubuntu-html5-app-launcher/** r, /usr/share/ubuntu-html5-ui-toolkit/ r, /usr/share/ubuntu-html5-ui-toolkit/** r, # Launching under upstart requires this /usr/bin/qtchooser rmix, /usr/bin/cordova-ubuntu* rmix, /usr/bin/ubuntu-html5-app-launcher rmix, # qmlscene webview # TODO: investigate child profile /usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix, /usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix, # GStreamer binary registry - hybris pulls this in for everything now, not # just audio owner @{HOME}/.gstreamer*/registry.*.bin* r, deny @{HOME}/.gstreamer*/registry.*.bin* w, deny @{HOME}/.gstreamer*/ w, owner @{HOME}/.cache/gstreamer*/registry.*.bin* r, deny @{HOME}/.cache/gstreamer*/registry.*.bin* w, deny @{HOME}/.cache/gstreamer*/ w, # gstreamer writes JIT compiled code in the form of orcexec.* files. Various # locations are tried so silence the ones we won't permit anyway deny /tmp/orcexec* w, deny /{,var/}run/user/*/orcexec* w, deny @{HOME}/orcexec* w, /{,android/}system/etc/media_codecs.xml r, /etc/wildmidi/wildmidi.cfg r, # Don't allow plugins in webviews for now deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx, # cordova-ubuntu wants to runs lsb_release, which is a python program and we # don't want to give access to that. cordova-ubuntu will fallback to # examining /etc/lsb-release directly, which is ok. If needed, we can lift # the denial and ship a profile for lsb_release and add a Pxr rule deny /usr/bin/lsb_release rx, /etc/ r, /etc/lsb-release r, # # Application install dirs # # Click packages @{CLICK_DIR}/@{APP_PKGNAME}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, # Packages shipped as debs have their install directory in /usr/share /usr/share/@{APP_PKGNAME}/ r, /usr/share/@{APP_PKGNAME}/** mrklix, # # Application writable dirs # # FIXME: LP: #1197060 owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk, # Allow writes to various (application-specific) XDG directories owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix, owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl, ###ABSTRACTIONS### ###POLICYGROUPS### ###READS### ###WRITES### } apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.1/unconfined0000777000000000000000000000000012252174726025051 2../1.0/unconfinedustar apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.1/default0000777000000000000000000000000012252373267023606 2ubuntu-sdkustar apparmor-easyprof-ubuntu-1.1.16/data/templates/ubuntu/1.1/ubuntu-webapp0000664000000000000000000003174012314313225022731 0ustar # # Example usage for an ubuntu-webapp app 'appname' # $ aa-easyprof --template=ubuntu-webapp \ # --profile-name=com.example.appname \ # -p networking \ # --template-var="@{APP_PKGNAME}=appname" \ # --template-var="@{APP_VERSION}=0.1" \ # "/usr/share/appname/**" # ###ENDUSAGE### # vim:syntax=apparmor #include ###VAR### ###PROFILEATTACH### (attach_disconnected) { #include #include # Temporary fix until LP: #1278702 is fixed in apparmor fonts abstraction /usr/share/libthai/thbrk.tri r, #include # Needed by native GL applications on Mir owner /{,var/}run/user/*/mir_socket rw, # Hardware-specific accesses #include "/usr/share/apparmor/hardware/graphics.d" # # DBus rules common for all webapps # # Allow connecting to session bus and where to connect to services dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the session bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Allow connecting to system bus and where to connect to services. Put these # here so we don't need to repeat these rules in multiple places (actual # communications with any system services is mediated elsewhere). This does # allow apps to brute-force enumerate system services, but our system # services aren't a secret. /{,var/}run/dbus/system_bus_socket rw, dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), # NameHasOwner and GetNameOwner could leak running processes and apps # depending on how services are implemented dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), # Allow starting services on the system bus (actual communications with # the service are mediated elsewhere) dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), # Unity shell dbus (send) bus=session path="/BottomBarVisibilityCommunicator" interface="org.freedesktop.DBus.{Introspectable,Properties}" peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator), dbus (receive) bus=session path="/BottomBarVisibilityCommunicator" interface="com.canonical.Shell.BottomBarVisibilityCommunicator", # Unity HUD dbus (send) bus=session path="/com/canonical/hud" interface="org.freedesktop.DBus.Properties" member="GetAll", dbus (send) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="RegisterApplication", dbus (receive, send) bus=session path=/com/canonical/hud/applications/@{APP_ID_DBUS}*, dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Start", dbus (receive) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="End", dbus (send) bus=session path="/com/canonical/hud/publisher*" interface="org.gtk.Menus" member="Changed" peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member={DescribeAll,Activate}, dbus (send) bus=session path="/com/canonical/unity/actions" interface=org.gtk.Actions member=Changed peer=(name=org.freedesktop.DBus), dbus (receive) bus=session path="/context_*" interface=org.gtk.Actions member="DescribeAll", dbus (receive) bus=session path="/com/canonical/hud" interface="com.canonical.hud" member="UpdatedQuery", dbus (receive) bus=session interface="com.canonical.hud.Awareness" member="CheckAwareness", # on screen keyboard (OSK) dbus (send) bus=session path="/org/maliit/server/address" interface="org.freedesktop.DBus.Properties" member=Get peer=(name=org.maliit.server), # URL dispatcher. All apps can call this since: # a) the dispatched application is launched out of process and not # controllable except via the specified URL # b) the list of url types is strictly controlled # c) the dispatched application will launch in the foreground over the # confined app dbus (send) bus=session path="/com/canonical/URLDispatcher" interface="com.canonical.URLDispatcher" member="DispatchURL", # TODO: finetune this dbus (send) bus=session peer=(name=org.a11y.Bus), dbus (receive) bus=session interface=org.a11y.atspi**, dbus (receive, send) bus=accessibility, # Deny potentially dangerous access deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**, audit deny dbus bus=session interface="com.canonical.snapdecisions", deny dbus (send) bus=session interface="org.gnome.GConf.Server", # # end DBus rules common for all webapps # # Explicitly deny dangerous access audit deny /dev/input/** rw, # FIXME: ought to go in a dbus abstraction, but dbus-session is too loose /var/lib/dbus/machine-id r, # subset of GNOME stuff /{,custom/}usr/share/icons/** r, /{,custom/}usr/share/themes/** r, /custom/xdg/data/themes/** r, /etc/pango/* r, /usr/lib{,32,64}/pango/** mr, /usr/lib/@{multiarch}/pango/** mr, /usr/share/icons/*/index.theme rk, /usr/share/unity/icons/** r, # ibus read accesses /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr, owner @{HOME}/.config/ibus/ r, owner @{HOME}/.config/ibus/bus/ r, owner @{HOME}/.config/ibus/bus/* r, deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded # subset of freedesktop.org /usr/share/mime/** r, owner @{HOME}/.local/share/mime/** r, owner @{HOME}/.config/user-dirs.dirs r, # various /proc entries (be careful to not allow things that can be used to # enumerate installed apps-- this will be easier once we have a PID kernel # var in AppArmor) @{PROC}/interrupts r, owner @{PROC}/cmdline r, owner @{PROC}/[0-9]*/auxv r, owner @{PROC}/[0-9]*/fd/ r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/ r, owner @{PROC}/[0-9]*/task/[0-9]*/ r, # FIXME: this leaks running process. Is it actually required? AppArmor kernel # var could solve this owner @{PROC}/[0-9]*/cmdline r, # libhybris /{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific) /usr/lib/@{multiarch}/libhybris/*.so mr, /system/build.prop r, # These libraries can be in any of: # /vendor/lib # /system/lib # /system/vendor/lib # /android/vendor/lib # /android/system/lib # /android/system/vendor/lib /{,android/}vendor/lib/** r, /{,android/}vendor/lib/**.so m, /{,android/}system/lib/** r, /{,android/}system/lib/**.so m, /{,android/}system/vendor/lib/** r, /{,android/}system/vendor/lib/**.so m, # attach_disconnected path /dev/socket/property_service rw, # Android logging triggered by platform. Can safely deny # LP: #1197124 deny /dev/log_main w, deny /dev/log_radio w, deny /dev/log_events w, deny /dev/log_system w, # Lttng tracing. Can safely deny. LP: #1260491 deny /{,var/}run/shm/lttng-ust-* r, # TODO: investigate deny /dev/cpuctl/apps/tasks w, deny /dev/cpuctl/apps/bg_non_interactive/tasks w, /sys/devices/system/cpu/ r, /sys/kernel/debug/tracing/trace_marker w, # LP: #1286162 /etc/udev/udev.conf r, /sys/devices/pci[0-9]*/**/uevent r, # Not required, but noisy deny /run/udev/data/** r, # # thumbnailing helper # /usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr, deny @{HOME}/.cache/tncache-write-text.null w, # silence access test # FIXME: this leaks running process. AppArmor kernel var could solve this owner @{PROC}/[0-9]*/attr/current r, # # apps may always use vibrations # /sys/class/timed_output/vibrator/enable rw, /sys/devices/virtual/timed_output/vibrator/enable rw, # # apps may always use the accelerometer and orientation sensor # /etc/xdg/QtProject/Sensors.conf r, # # qmlscene # /usr/share/qtchooser/ r, /usr/share/qtchooser/** r, /usr/lib/@{multiarch}/qt5/bin/qmlscene ixr, owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk, audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w, # # webbrowser-app # /usr/share/webbrowser-app/ r, /usr/share/webbrowser-app/** r, /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r, # TODO: investigate child profile /usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix, /usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix, # Special API for the webapp-container to prepopulate the webapp's cookie jar # with online accounts' cookie for the account of the site of the webapp dbus (receive, send) bus=session interface=com.nokia.singlesignonui member=cookiesForIdentity, # GStreamer binary registry - hybris pulls this in for everything now, not # just audio owner @{HOME}/.gstreamer*/registry.*.bin* r, deny @{HOME}/.gstreamer*/registry.*.bin* w, deny @{HOME}/.gstreamer*/ w, owner @{HOME}/.cache/gstreamer*/registry.*.bin* r, deny @{HOME}/.cache/gstreamer*/registry.*.bin* w, deny @{HOME}/.cache/gstreamer*/ w, # gstreamer writes JIT compiled code in the form of orcexec.* files. Various # locations are tried so silence the ones we won't permit anyway deny /tmp/orcexec* w, deny /{,var/}run/user/*/orcexec* w, deny @{HOME}/orcexec* w, /{,android/}system/etc/media_codecs.xml r, /etc/wildmidi/wildmidi.cfg r, # system user scripts /usr/share/unity-webapps/userscripts/ r, /usr/share/unity-webapps/userscripts/** r, # Don't allow plugins in webapps for now deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx, # webapp-container for some reason asks for read on these directories, but # nothing else. This isn't needed, so deny the write deny /sys/bus/ r, deny /sys/class/ r, # Launching under upstart requires this /usr/bin/webapp-container rmix, # # Application install dirs # # Click packages @{CLICK_DIR}/@{APP_PKGNAME}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, # Packages shipped as debs have their install directory in /usr/share /usr/share/@{APP_PKGNAME}/ r, /usr/share/@{APP_PKGNAME}/** mrklix, # # Application writable dirs # # FIXME: LP: #1197060 owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk, # Allow writes to various (application-specific) XDG directories owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl, owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix, owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl, ###ABSTRACTIONS### ###POLICYGROUPS### ###READS### ###WRITES### } apparmor-easyprof-ubuntu-1.1.16/data/policygroups/0000775000000000000000000000000012163322072017125 5ustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/0000775000000000000000000000000012252174534020456 5ustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/0000775000000000000000000000000012314311356020746 5ustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/accounts0000664000000000000000000000353612276710321022521 0ustar # Description: Can use Online Accounts. This policy group is reserved for # vetted applications only in this version of the policy. Once LP: #1230091 # is fixed, this can be moved out of reserved status. # Usage: reserved /usr/share/accounts/** r, dbus (receive, send) bus=session path=/com/google/code/AccountsSSO/SingleSignOn interface=com.google.code.AccountsSSO.SingleSignOn.AuthService, dbus (receive, send) bus=session interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession, dbus (receive, send) bus=session interface=com.google.code.AccountsSSO.SingleSignOn.Identity, dbus (receive, send) bus=session interface=com.ubuntu.OnlineAccountsUi, dbus (receive) bus=session interface=com.google.code.AccountsSSO.Accounts, # p2p support uses a named unix socket owner /{,var/}run/user/*/signond/socket w, # read access to accounts.db is ok owner @{HOME}/.config/libaccounts-glib/accounts.db* rk, # FIXME: LP: #1220713 - online accounts currently tries rw and falls back to # ro. This can go away once an access() LSM hook is implemented. For # now, just silence the denial. deny @{HOME}/.config/libaccounts-glib/accounts.db* w, # apps will dereference the symlinks in this directory to access their own # accounts provider (which is in an app-specific directory). This is not an # information leak on its own because users of this policy group have read # access to accounts.db. owner @{HOME}/.local/share/accounts/** r, # Note: this API should *not* be allowed to normal apps, only the # webapp-container. As such, we can't explicitly deny access here but it is # listed as a comment to make sure it isn't accidentally added in the future. # audit deny dbus (receive, send) # bus=session # interface=com.nokia.singlesignonui # member=cookiesForIdentity, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/camera0000664000000000000000000000106312225313263022121 0ustar # Description: Can access the camera(s) # Usage: common # android-based access. Remove once move away from binder (LP: #1197134) /dev/binder rw, /dev/ashmem rw, /android/system/media/audio/ui/camera_click.ogg r, # converged desktop #include /dev/ r, # TODO: maybe allow this? /dev/video* rw, /sys/devices/**/video4linux/video** r, /sys/devices/**/modalias r, /sys/devices/**/speed r, # These disclose the device to the app deny /sys/devices/virtual/dmi/id/* r, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/video_files0000664000000000000000000000047512212113357023165 0ustar # Description: Can read and write to video files. This policy group is # reserved for certain applications, such as video players. Developers # should typically use the content_exchange policy group and API to # access video files instead. # Usage: reserved owner @{HOME}/Videos/ r, owner @{HOME}/Videos/** rwk, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/picture_files0000664000000000000000000000051412212113467023526 0ustar # Description: Can read and write to picture files. This policy group is # reserved for certain applications, such as gallery applications. # Developers should typically use the content_exchange policy group and # API to access picture files instead. # Usage: reserved owner @{HOME}/Pictures/ r, owner @{HOME}/Pictures/** rwk, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/usermetrics0000664000000000000000000000027112221120533023226 0ustar # Description: Can use UserMetrics to update the InfoGraphic # Usage: common dbus (send) bus=system path=/com/canonical/UserMetrics** peer=(name=com.canonical.UserMetrics), apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/sensors0000664000000000000000000000022612212112002022345 0ustar # Description: Can access the sensors # Usage: common # android-based access. Remove once move away from audio flinger (LP: #1197134) /dev/binder rw, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/audio0000664000000000000000000000174012231470444021776 0ustar # Description: Can play audio # Usage: common /dev/ashmem rw, # Don't include the audio abstraction and enforce use of pulse instead /etc/pulse/ r, /etc/pulse/* r, /{run,dev}/shm/ r, # could allow enumerating apps owner /{run,dev}/shm/pulse-shm* rk, deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it owner @{HOME}/.pulse-cookie rk, owner @{HOME}/.pulse/ r, owner @{HOME}/.pulse/* rk, owner /{,var/}run/user/*/pulse/ r, owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be # used by confined apps owner @{HOME}/.config/pulse/cookie rk, # Force the use of pulseaudio and silence any denials for ALSA deny /usr/share/alsa/alsa.conf r, deny /dev/snd/ r, deny /dev/snd/* r, # Hardware-specific accesses #include "/usr/share/apparmor/hardware/audio.d" apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/friends0000664000000000000000000000377312314311333022330 0ustar # Description: Can use Friends social network service. This policy group is # reserved for vetted applications only in this version of the policy. Once # LP: #1231737 is fixed, this can be moved out of reserved status. # Usage: reserved dbus (send) path=/com/canonical/friends/Dispatcher interface=org.freedesktop.DBus.Properties, dbus (send) path=/com/canonical/friends/Dispatcher peer=(name=com.canonical.Friends.Dispatcher), dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RequestName peer=(name=org.freedesktop.DBus), dbus (bind) bus=session name=com.canonical.Friends.Streams, dbus (send) bus=session path=/com/canonical/dee/peer/com/canonical/Friends/Streams interface=com.canonical.Dee.Peer peer=(name=com.canonical.Friends.Streams), dbus (receive) bus=session path=/com/canonical/dee/peer/com/canonical/Friends/Streams interface=com.canonical.Dee.Peer, dbus (send) bus=session path=/com/canonical/dee/model/com/canonical/Friends/Streams interface=com.canonical.Dee.Model peer=(name=com.canonical.Friends.Streams), dbus (receive) bus=session path=/com/canonical/dee/model/com/canonical/Friends/Streams interface=com.canonical.Dee.Model, # Access required for using freedesktop notifications # (perhaps move out to templates?) dbus (send) bus=session path=/org/freedesktop/Notifications member=GetServerInformation, dbus (send) bus=session path=/org/freedesktop/Notifications member=Notify, dbus (receive) bus=session member="Notify" peer=(name="org.freedesktop.DBus"), dbus (receive) bus=session path=/org/freedesktop/Notifications member=NotificationClosed, dbus (send) bus=session path=/org/freedesktop/Notifications member=CloseNotification, dbus (receive) bus=session path=/org/freedesktop/Notifications member=dataChanged, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/connectivity0000664000000000000000000000231112216151521023401 0ustar # Description: Can access coarse network connectivity information # Usage: common # APIs: QtSystemInfo::NetworkInfo, QHostAddress and QNetworkInterface /sys/class/net/ r, /sys/devices/**/net/*/carrier r, @{PROC}/[0-9]*/net/wireless r, # Most apps that need connectivity will also have networking, but just in case # only connectivity is needed, add these. network stream, network udp, # Don't allow the MAC. Perhaps this will be allowed in another policy group #/sys/devices/**/net/*/address r, # MAC # QtSystemInfo::NetworkInfo throws an error on systems with ofono. These # are the DBus calls that allow QtSystemInfo::NetworkInfo to work, but reveal # too much information. For now, leave the rules commented out and when # LP: #1226844 is fixed, we can see how to proceed # #dbus (send) # bus=system # path=/ # interface=org.ofono.Manager # member=GetModems # peer=(name=org.ofono), #dbus (send) # bus=system # path=/ril_* # interface=org.ofono.NetworkRegistration # member=GetProperties # peer=(name=org.ofono), #dbus (receive) # bus=system # path=/ril_* # interface=org.ofono.NetworkRegistration # member=PropertyChanged # peer=(name=org.freedesktop.DBus), apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/music_files_read0000664000000000000000000000046012212111733024160 0ustar # Description: Can read all music files. This policy group is reserved # for certain applications, such as music players. Developers should # typically use the content_exchange policy group and API to access # music files instead. # Usage: reserved owner @{HOME}/Music/ r, owner @{HOME}/Music/** r, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/video_files_read0000664000000000000000000000046212212113401024142 0ustar # Description: Can read all video files. This policy group is reserved # for certain applications, such as video players. Developers should # typically use the content_exchange policy group and API to access # video files instead. # Usage: reserved owner @{HOME}/Videos/ r, owner @{HOME}/Videos/** r, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/microphone0000664000000000000000000000244712216403654023047 0ustar # Description: Can access the microphone # Usage: common # Don't include the audio abstraction and enforce use of pulse instead /etc/pulse/ r, /etc/pulse/* r, /{run,dev}/shm/ r, # could allow enumerating apps owner /{run,dev}/shm/pulse-shm* rk, deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it owner @{HOME}/.pulse-cookie rk, owner @{HOME}/.pulse/ r, owner @{HOME}/.pulse/* rk, owner /{,var/}run/user/*/pulse/ r, owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be # used by confined apps owner @{HOME}/.config/pulse/cookie rk, # gstreamer - should these be application specific? owner @{HOME}/.gstreamer*/registry.*.bin* r, deny @{HOME}/.gstreamer*/registry.*.bin* w, deny @{HOME}/.gstreamer*/ w, # gstreamer writes JIT compiled code in the form of orcexec.* files. Various # locations are tried so silence the ones we won't permit anyway deny /tmp/orcexec* w, deny /{,var/}run/user/*/orcexec* w, deny @{HOME}/orcexec* w, # Force the use of pulseaudio and silence any denials for ALSA deny /usr/share/alsa/alsa.conf r, deny /dev/snd/ r, deny /dev/snd/* r, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/video0000664000000000000000000000142412231474340022001 0ustar # Description: Can play video # Usage: common # android-based access. Remove once move away from binder (LP: #1197134) /dev/binder rw, /dev/ashmem rw, # gstreamer - should these be application specific? owner @{HOME}/.gstreamer*/registry.*.bin* r, owner @{HOME}/.cache/gstreamer*/registry.*.bin* r, deny @{HOME}/.gstreamer*/registry.*.bin* w, deny @{HOME}/.cache/gstreamer*/registry.*.bin* w, deny @{HOME}/.gstreamer*/ w, deny @{HOME}/.cache/gstreamer*/ w, # gstreamer writes JIT compiled code in the form of orcexec.* files. Various # locations are tried so silence the ones we won't permit anyway deny /tmp/orcexec* w, deny /{,var/}run/user/*/orcexec* w, # Hardware-specific accesses #include "/usr/share/apparmor/hardware/video.d" apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/content_exchange_source0000664000000000000000000000117012214376776025604 0ustar # Description: Can provide/export data to other applications # Usage: common dbus (send) bus=session interface=org.freedesktop.DBus path=/org/freedesktop/DBus member=RequestName, dbus (bind) bus=session name=com.ubuntu.content.handler.@{APP_ID_DBUS}, dbus (receive) bus=session path=/com/ubuntu/content/handler/@{APP_ID_DBUS} interface=com.ubuntu.content.dbus.Handler, dbus (receive, send) bus=session interface=com.ubuntu.content.dbus.Transfer path=/transfers/@{APP_ID_DBUS}/export/*, dbus (receive, send) bus=session interface=com.ubuntu.content.dbus.Service, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/contacts0000664000000000000000000000233612222650545022517 0ustar # Description: Can access contacts. This policy group is reserved for vetted # applications only in this version of the policy. Once LP: #1227821 is # fixed, this can be moved out of reserved status. # Usage: reserved dbus (receive, send) bus=session path=/com/canonical/pim/AddressBook, dbus (receive, send) bus=session path=/com/canonical/pim/AddressBookView/**, # FIXME: LP: #1227818. Clients shouldn't access Telepathy directly. Remove # these when LP: #1227818 is fixed in address-book-app. dbus (send) bus=session path=/org/freedesktop/Telepathy/AccountManager peer=(name=org.freedesktop.Telepathy.AccountManager), dbus (receive) bus=session path=/org/freedesktop/Telepathy/AccountManager, dbus (send) bus=session path=/org/freedesktop/Telepathy/ChannelDispatcher peer=(name=org.freedesktop.Telepathy.ChannelDispatcher), dbus (receive) bus=session path=/org/freedesktop/Telepathy/ChannelDispatcher, dbus (send) bus=session path=/org/freedesktop/Telepathy/Account/** member=Get{,All} peer=(name=org.freedesktop.Telepathy.AccountManager), dbus (receive) bus=session path=/org/freedesktop/Telepathy/Account/** member=Get{,All}, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/history0000664000000000000000000000112212222650627022373 0ustar # Description: Can access the history-service. This policy group is reserved # for vetted applications only in this version of the policy. A future # version of the policy may move this out of reserved status. # Usage: reserved dbus (send) bus=session path=/com/canonical/HistoryService peer=(name=com.canonical.HistoryService), dbus (receive) bus=session path=/com/canonical/HistoryService, dbus (send) bus=session path=/com/canonical/HistoryService/** peer=(name=com.canonical.HistoryService), dbus (receive) bus=session path=/com/canonical/HistoryService/**, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/picture_files_read0000664000000000000000000000050112212113432024505 0ustar # Description: Can read all picture files. This policy group is reserved # for certain applications, such as gallery applications. Developers # should typically use the content_exchange policy group and API to # access picture files instead. # Usage: reserved owner @{HOME}/Pictures/ r, owner @{HOME}/Pictures/** r, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/networking0000664000000000000000000000563712306104604023070 0ustar # Description: Can access the network # Usage: common #include #include # DownloadManager dbus (send) bus=session interface="org.freedesktop.DBus.Introspectable" path=/ member=Introspect, dbus (send) bus=session interface="org.freedesktop.DBus.Introspectable" path=/com/canonical/applications/download/** member=Introspect, # Allow DownloadManager to send us signals, etc dbus (receive) bus=session interface=com.canonical.applications.Download{,er}Manager, # Restrict apps to just their own downloads dbus (receive, send) bus=session path=/com/canonical/applications/download/@{APP_ID_DBUS}/** interface=com.canonical.applications.Download, dbus (receive, send) bus=session path=/com/canonical/applications/download/@{APP_ID_DBUS}/** interface=com.canonical.applications.GroupDownload, # Be explicit about the allowed members we can send to dbus (send) bus=session path=/ interface=com.canonical.applications.DownloadManager member=com.canonical.applications.Downloader.createDownload, dbus (send) bus=session path=/ interface=com.canonical.applications.DownloadManager member=com.canonical.applications.Downloader.createDownloadGroup, dbus (send) bus=session path=/ interface=com.canonical.applications.DownloadManager member=com.canonical.applications.Downloader.getAllDownloads, dbus (send) bus=session path=/ interface=com.canonical.applications.DownloadManager member=com.canonical.applications.Downloader.getAllDownloadsWithMetadata, dbus (send) bus=session path=/ interface=com.canonical.applications.DownloadManager member=com.canonical.applications.Downloader.defaultThrottle, dbus (send) bus=session path=/ interface=com.canonical.applications.DownloadManager member=com.canonical.applications.Downloader.isGSMDownloadAllowed, # Explicitly deny DownloadManager APIs apps shouldn't have access to in order # to make sure they aren't accidentally added in the future (see LP: #1277578 # for details) audit deny dbus (send) bus=session member=com.canonical.applications.Downloader.allowGSMDownload, audit deny dbus (send) bus=session member=com.canonical.applications.Downloader.createMmsDownload, audit deny dbus (send) bus=session member=com.canonical.applications.Downloader.exit, audit deny dbus (send) bus=session member=com.canonical.applications.Downloader.setDefaultThrottle, # We want to explicitly deny access to NetworkManager because its DBus API # gives away too much deny dbus (receive, send) bus=system path=/org/freedesktop/NetworkManager, deny dbus (receive, send) bus=system peer=(name=org.freedesktop.NetworkManager), # Do the same for ofono (LP: #1226844) deny dbus (receive, send) bus=system interface="org.ofono.Manager", apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/content_exchange0000664000000000000000000000117212214376772024222 0ustar # Description: Can request/import data from other applications # Usage: common dbus (send) bus=session interface=org.freedesktop.DBus path=/org/freedesktop/DBus member=RequestName, dbus (bind) bus=session name=com.ubuntu.content.handler.@{APP_ID_DBUS}, dbus (receive) bus=session path=/com/ubuntu/content/handler/@{APP_ID_DBUS} interface=com.ubuntu.content.dbus.Handler, dbus (receive, send) bus=session interface=com.ubuntu.content.dbus.Transfer path=/transfers/@{APP_ID_DBUS}/import/*, dbus (receive, send) bus=session interface=com.ubuntu.content.dbus.Service, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/calendar0000664000000000000000000000153412226151370022445 0ustar # Description: Can access the calendar. This policy group is reserved for # vetted applications only in this version of the policy. Once LP: #1227824 # is fixed, this can be moved out of reserved status. # Usage: reserved # The gsettings entries for EDS aren't required for the calendar, so # just silence these # TODO: remove when we have gsettings mediation deny /{,var/}run/user/*/dconf/user r, deny /{,var/}run/user/*/dconf/user w, deny @{HOME}/.config/dconf/user r, dbus (receive, send) bus=session path=/org/gnome/evolution/dataserver/SourceManager, dbus (receive, send) bus=session path=/org/gnome/evolution/dataserver/CalendarFactory, dbus (receive, send) bus=session path=/org/gnome/evolution/dataserver/Calendar/**, dbus (receive, send) bus=session path=/org/gnome/evolution/dataserver/CalendarView/**, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/music_files0000664000000000000000000000047312212111720023165 0ustar # Description: Can read and write to music files. This policy group is # reserved for certain applications, such as music players. Developers # should typically use the content_exchange policy group and API to # access music files instead. # Usage: reserved owner @{HOME}/Music/ r, owner @{HOME}/Music/** rwk, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.0/location0000664000000000000000000000213712222650740022505 0ustar # Description: Can access Location # Usage: common # TODO: when implementation for LP: #1223371 and LP: #1223211 is finalized, # pick one of these # session bus (not currently used-- maybe with trust-store) dbus (send) bus=session path="/com/ubuntu/location/Service" interface="com.ubuntu.location.Service" peer=(name="com.ubuntu.location.Service"), dbus (receive) bus=session path="/com/ubuntu/location/Service" interface="com.ubuntu.location.Service", dbus (receive, send) bus=session interface="com.ubuntu.location.Service.Session", # system bus dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), dbus (send) bus=system path="/com/ubuntu/location/Service" interface="com.ubuntu.location.Service" peer=(name="com.ubuntu.location.Service"), dbus (receive) bus=system path="/com/ubuntu/location/Service" interface="com.ubuntu.location.Service", dbus (receive, send) bus=system interface="com.ubuntu.location.Service.Session", apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/0000775000000000000000000000000012321314100020733 5ustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/accounts0000777000000000000000000000000012252174566024772 2../1.0/accountsustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/camera0000777000000000000000000000000012252174566024014 2../1.0/cameraustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/video_files0000664000000000000000000000125212320763301023160 0ustar # Description: Can read and write to video files. This policy group is # reserved for certain applications, such as video players. Developers # should typically use the content_exchange policy group and API to # access video files instead. # Usage: reserved owner @{HOME}/Videos/ r, owner @{HOME}/Videos/** rwk, # These rules can move to common once LP: #1303962 is fixed # Allow talking to the media-hub and examing files from mediascanner dbus (receive, send) bus=session peer=(label=/usr/bin/media-hub-server), owner @{HOME}/.cache/media-art/ r, owner @{HOME}/.cache/media-art/** rk, owner @{HOME}/.cache/mediascanner/ r, owner @{HOME}/.cache/mediascanner/** rk, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/picture_files0000777000000000000000000000000012252174566027026 2../1.0/picture_filesustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/usermetrics0000777000000000000000000000000012252174566026246 2../1.0/usermetricsustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/sensors0000777000000000000000000000000012252174566024524 2../1.0/sensorsustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/audio0000777000000000000000000000000012320762600023522 2../1.0/audioustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/friends0000777000000000000000000000000012252174566024420 2../1.0/friendsustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/connectivity0000777000000000000000000000000012252174566026570 2../1.0/connectivityustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/music_files_read0000664000000000000000000000123512320763256024177 0ustar # Description: Can read all music files. This policy group is reserved # for certain applications, such as music players. Developers should # typically use the content_exchange policy group and API to access # music files instead. # Usage: reserved owner @{HOME}/Music/ r, owner @{HOME}/Music/** r, # These rules can move to common once LP: #1303962 is fixed # Allow talking to the media-hub and examing files from mediascanner dbus (receive, send) bus=session peer=(label=/usr/bin/media-hub-server), owner @{HOME}/.cache/media-art/ r, owner @{HOME}/.cache/media-art/** rk, owner @{HOME}/.cache/mediascanner/ r, owner @{HOME}/.cache/mediascanner/** rk, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/video_files_read0000664000000000000000000000123712320763314024162 0ustar # Description: Can read all video files. This policy group is reserved # for certain applications, such as video players. Developers should # typically use the content_exchange policy group and API to access # video files instead. # Usage: reserved owner @{HOME}/Videos/ r, owner @{HOME}/Videos/** r, # These rules can move to common once LP: #1303962 is fixed # Allow talking to the media-hub and examing files from mediascanner dbus (receive, send) bus=session peer=(label=/usr/bin/media-hub-server), owner @{HOME}/.cache/media-art/ r, owner @{HOME}/.cache/media-art/** rk, owner @{HOME}/.cache/mediascanner/ r, owner @{HOME}/.cache/mediascanner/** rk, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/microphone0000777000000000000000000000000012252174566025642 2../1.0/microphoneustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/video0000777000000000000000000000000012320762606023542 2../1.0/videoustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/content_exchange_source0000777000000000000000000000000012252174566033124 2../1.0/content_exchange_sourceustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/contacts0000777000000000000000000000000012252174566024770 2../1.0/contactsustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/history0000777000000000000000000000000012252174566024536 2../1.0/historyustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/picture_files_read0000777000000000000000000000000012252174566031014 2../1.0/picture_files_readustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/networking0000777000000000000000000000000012252174566025712 2../1.0/networkingustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/content_exchange0000664000000000000000000000176512311653150024215 0ustar # Description: Can request/import data from other applications # Usage: common dbus (send) bus=session interface=org.freedesktop.DBus path=/org/freedesktop/DBus member=RequestName, dbus (bind) bus=session name=com.ubuntu.content.handler.@{APP_ID_DBUS}, dbus (receive) bus=session path=/com/ubuntu/content/handler/@{APP_ID_DBUS} interface=com.ubuntu.content.dbus.Handler, dbus (receive, send) bus=session interface=com.ubuntu.content.dbus.Transfer path=/transfers/@{APP_ID_DBUS}/import/*, dbus (receive, send) bus=session interface=com.ubuntu.content.dbus.Service, # LP: #1293771 # Since fd delegation doesn't exist in the form that we need it at this time, # content-hub will create hard links in ~/.cache/@{APP_PKGNAME}/HubIncoming/ # for volatile data. As such, apps should not have write access to anything in # this directory otherwise they would be able to change the source content. deny @{HOME}/.cache/@{APP_PKGNAME}/HubIncoming/** w, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/calendar0000777000000000000000000000000012252174566024656 2../1.0/calendarustar apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/music_files0000664000000000000000000000125012320763251023174 0ustar # Description: Can read and write to music files. This policy group is # reserved for certain applications, such as music players. Developers # should typically use the content_exchange policy group and API to # access music files instead. # Usage: reserved owner @{HOME}/Music/ r, owner @{HOME}/Music/** rwk, # These rules can move to common once LP: #1303962 is fixed # Allow talking to the media-hub and examing files from mediascanner dbus (receive, send) bus=session peer=(label=/usr/bin/media-hub-server), owner @{HOME}/.cache/media-art/ r, owner @{HOME}/.cache/media-art/** rk, owner @{HOME}/.cache/mediascanner/ r, owner @{HOME}/.cache/mediascanner/** rk, apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/webview0000664000000000000000000001025412321314100022330 0ustar # Description: Can use the UbuntuWebview # Usage: common # UbuntuWebview /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r, ptrace (trace) peer=@{profile_name}, signal peer=@{profile_name}//oxide_helper, # LP: #1260090 - when this bug is fixed, oxide_renderer can become a # child profile of this profile, then we'll use Cx here and Px in # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship # as standalone profiles and we would just Px/px to them, but this is not # practical because oxide-renderer needs to access app-specific files # and shm files (when 1260103 is fixed). For now, have a single helper # profile for chrome-sandbox and oxide-renderer. /usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cxmr -> oxide_helper, /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cxmr -> oxide_helper, /usr/lib/@{multiarch}/oxide-qt/* r, @{PROC}/[0-9]*/task/[0-9]*/stat r, # LP: #1275917 (not a problem, but unnecessary) /usr/share/glib-2.0/schemas/gschemas.compiled r, # LP: #1260044 deny /usr/lib/@{multiarch}/qt5/bin/locales/ w, deny /usr/bin/locales/ w, # LP: #1260101 deny /run/user/[0-9]*/dconf/user rw, deny owner @{HOME}/.config/dconf/user r, # LP: #1260048 - only allow 'r' for now, since 'w' allow for db poisoning owner @{HOME}/.pki/nssdb/ r, owner @{HOME}/.pki/nssdb/** rk, deny @{HOME}/.pki/nssdb/ w, deny @{HOME}/.pki/nssdb/** w, # LP: # /sys/bus/pci/devices/ r, /sys/devices/pci[0-9]*/**/class r, /sys/devices/pci[0-9]*/**/device r, /sys/devices/pci[0-9]*/**/irq r, /sys/devices/pci[0-9]*/**/resource r, /sys/devices/pci[0-9]*/**/vendor r, /sys/devices/pci[0-9]*/**/removable r, /sys/devices/pci[0-9]*/**/uevent r, /sys/devices/pci[0-9]*/**/block/**/size r, /etc/udev/udev.conf r, # LP: #1260098 /tmp/ r, /var/tmp/ r, # LP: #1260103 owner /run/shm/.org.chromium.Chromium.* rwk, # LP: #1260090 - when this bug is fixed, oxide_renderer can become a # child profile of this profile, then we can use Cx here and Px in # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship # as standalone profiles and we would just Px/px to them, but this is not # practical because oxide-renderer needs to access app-specific files # and shm files (when 1260103 is fixed). For now, have a single helper # profile for chrome-sandbox and oxide-renderer. profile oxide_helper (attach_disconnected) { # # Shared by chrome-sandbox and oxide-helper # #include # So long as we don't give /dev/binder, this should be 'ok' /{,android/}vendor/lib/*.so mr, /{,android/}system/lib/*.so mr, /{,android/}system/vendor/lib/*.so mr, /system/build.prop r, /dev/socket/property_service rw, # attach_disconnected path @{PROC}/ r, @{PROC}/[0-9]*/ r, @{PROC}/[0-9]*/fd/ r, @{PROC}/[0-9]*/auxv r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/ r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, # # chrome-sandbox specific # # Required for dropping into PID namespace. Keep in mind that until the # process drops this capability it can escape confinement, but once it # drops CAP_SYS_ADMIN we are ok. capability sys_admin, # All of these are for sanely dropping from root and chrooting capability chown, capability fsetid, capability setgid, capability setuid, capability dac_override, capability sys_chroot, capability sys_ptrace, ptrace (read, readby), signal peer=@{APP_PKGNAME}_*_@{APP_VERSION}, # LP: #1260115 owner @{PROC}/[0-9]*/oom_adj w, owner @{PROC}/[0-9]*/oom_score_adj w, /usr/lib/@{multiarch}/oxide-qt/oxide-renderer rmix, # # oxide-renderer specific # #include @{PROC}/sys/kernel/shmmax r, @{PROC}/sys/kernel/yama/ptrace_scope r, deny /etc/passwd r, deny /tmp/ r, deny /var/tmp/ r, /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox rmix, # LP: #1260103 /run/shm/.org.chromium.Chromium.* rwk, # LP: #1260048 owner @{HOME}/.pki/nssdb/ rw, owner @{HOME}/.pki/nssdb/** rwk, # LP: #1260044 deny /usr/lib/@{multiarch}/oxide-qt/locales/ w, } apparmor-easyprof-ubuntu-1.1.16/data/policygroups/ubuntu/1.1/location0000777000000000000000000000000012252174566024754 2../1.0/locationustar