diff --git a/profiles/Makefile b/profiles/Makefile index cb5e8e07a..b46cabbac 100644 --- a/profiles/Makefile +++ b/profiles/Makefile @@ -37,17 +37,19 @@ PROFILES_DEST=${DESTDIR}/etc/apparmor.d EXTRAS_DEST=${DESTDIR}/etc/apparmor/profiles/extras/ PROFILES_SOURCE=./apparmor.d EXTRAS_SOURCE=./apparmor/profiles/extras/ -SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables +SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*)) .PHONY: install install: install -m 755 -d ${PROFILES_DEST} install -m 755 -d ${PROFILES_DEST}/abstractions \ + ${PROFILES_DEST}/apache2.d \ ${PROFILES_DEST}/program-chunks \ ${PROFILES_DEST}/tunables install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST} install -m 644 ${PROFILES_SOURCE}/abstractions/* ${PROFILES_DEST}/abstractions + install -m 644 ${PROFILES_SOURCE}/apache2.d/* ${PROFILES_DEST}/apache2.d install -m 644 ${PROFILES_SOURCE}/program-chunks/* ${PROFILES_DEST}/program-chunks install -m 644 ${PROFILES_SOURCE}/tunables/* ${PROFILES_DEST}/tunables install -m 755 -d ${EXTRAS_DEST} diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base index 3f159443a..afc5f1277 100644 --- a/profiles/apparmor.d/abstractions/base +++ b/profiles/apparmor.d/abstractions/base @@ -84,3 +84,19 @@ # some applications will display license information /usr/share/common-licenses/** r, + + # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked + # filesystems generally. This does not appreciably decrease security with + # Ubuntu profiles because the user is expected to have access to files owned + # by him/her. Exceptions to this are explicit in the profiles. While this rule + # grants access to those exceptions, the intended privacy is maintained due to + # the encrypted contents of the files in this directory. Files in this + # directory will also use filename encryption by default, so the files are + # further protected. Also, with the use of 'owner', this rule properly + # prevents access to the files from processes running under a different uid. + + # encrypted ~/.Private and old-style encrypted $HOME + owner @{HOME}/.Private/** mrixwlk, + # new-style encrypted $HOME + owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, + diff --git a/profiles/apparmor.d/abstractions/launchpad-integration b/profiles/apparmor.d/abstractions/launchpad-integration new file mode 100644 index 000000000..32d85bc0c --- /dev/null +++ b/profiles/apparmor.d/abstractions/launchpad-integration @@ -0,0 +1,6 @@ +# vim:syntax=apparmor +# launchpad-integration + + # allow launchpad-integration to run unconfined using Secure Execution (Ux) + /usr/bin/launchpad-integration Uxr, + diff --git a/profiles/apparmor.d/abstractions/private-files b/profiles/apparmor.d/abstractions/private-files new file mode 100644 index 000000000..7367e8201 --- /dev/null +++ b/profiles/apparmor.d/abstractions/private-files @@ -0,0 +1,26 @@ +# vim:syntax=apparmor +# privacy-violations contains rules for common files that you want to explicity +# deny access + + # privacy violations (don't audit files under $HOME otherwise get a + # lot of false positives when reading contents of directories) + deny @{HOME}/.*history mrwkl, + deny @{HOME}/.fetchmail* mrwkl, + deny @{HOME}/.viminfo* mrwkl, + deny @{HOME}/.*~ mrwkl, + deny @{HOME}/.*.swp mrwkl, + deny @{HOME}/.*~1~ mrwkl, + deny @{HOME}/.*.bak mrwkl, + + # special attention to (potentially) executable files + audit deny @{HOME}/bin/** wl, + + deny @{HOME}/.bash* mrk, + audit deny @{HOME}/.bash* wl, + + deny @{HOME}/.profile* mrk, + audit deny @{HOME}/.profile* wl, + + deny @{HOME}/.*rc mrk, + audit deny @{HOME}/.*rc wl, + diff --git a/profiles/apparmor.d/abstractions/private-files-strict b/profiles/apparmor.d/abstractions/private-files-strict new file mode 100644 index 000000000..5f8f3e098 --- /dev/null +++ b/profiles/apparmor.d/abstractions/private-files-strict @@ -0,0 +1,12 @@ +# vim:syntax=apparmor +# privacy-violations-strict contains additional rules for sensitive +# files that you want to explicity deny access + + #include + + # potentially extremely sensitive files + audit deny @{HOME}/.gnupg/** mrwkl, + audit deny @{HOME}/.ssh/** mrwkl, + audit deny @{HOME}/.gnome2_private/** mrwkl, + audit deny @{HOME}/.mozilla/** mrwkl, + diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers b/profiles/apparmor.d/abstractions/ubuntu-browsers new file mode 100644 index 000000000..a2f69b7c8 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers @@ -0,0 +1,30 @@ +# +# abstraction for allowing access to graphical browsers in Ubuntu +# + + /usr/bin/arora Ux, + /usr/bin/chromium-browser Ux, + /usr/bin/conkeror Ux, + /usr/bin/dillo Ux, + /usr/bin/Dooble Ux, + /usr/bin/epiphany Ux, + /usr/bin/epiphany-browser Ux, + /usr/bin/epiphany-webkit Ux, + /usr/lib/fennec-*/fennec Ux, + /usr/bin/galeon Ux, + /usr/bin/kazehakase Ux, + /usr/bin/konqueror Ux, + /usr/bin/midori Ux, + /usr/bin/netsurf Ux, + /usr/bin/prism Ux, + /usr/bin/rekonq Ux, + /usr/bin/seamonkey Ux, + /usr/lib/chromium-browser/chromium-browser Ux, + + # this should cover all firefox browsers and versions (including shiretoko + # and abrowser) + /usr/lib/firefox-*/firefox.sh Ux, + + # some unpackaged, but popular browsers + /usr/lib/icecat-*/icecat Ux, + /usr/bin/opera Ux, diff --git a/profiles/apparmor.d/abstractions/ubuntu-console-browsers b/profiles/apparmor.d/abstractions/ubuntu-console-browsers new file mode 100644 index 000000000..234cb0011 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-console-browsers @@ -0,0 +1,14 @@ +# +# abstraction for allowing access to text-only browsers in Ubuntu. These will +# typically also need a terminal, so when using this abstraction, should also +# do something like: +# +# #include +# + + /usr/bin/elinks Ux, + /usr/bin/links Ux, + /usr/bin/lynx.cur Ux, + /usr/bin/netrik Ux, + /usr/bin/w3m Ux, + diff --git a/profiles/apparmor.d/abstractions/ubuntu-console-email b/profiles/apparmor.d/abstractions/ubuntu-console-email new file mode 100644 index 000000000..38a40d3b8 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-console-email @@ -0,0 +1,14 @@ +# +# abstraction for allowing console email clients in Ubuntu. These will +# typically also need a terminal, so when using this abstraction, should also +# do something like: +# +# #include +# + + /usr/bin/alpine Ux, + /usr/bin/citadel Ux, + /usr/bin/cone Ux, + /usr/bin/elmo Ux, + /usr/bin/mutt Ux, + diff --git a/profiles/apparmor.d/abstractions/ubuntu-email b/profiles/apparmor.d/abstractions/ubuntu-email new file mode 100644 index 000000000..64dc8b290 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-email @@ -0,0 +1,19 @@ +# +# abstraction for allowing graphical email clients in Ubuntu +# + + /usr/bin/anjal Ux, + /usr/bin/balsa Ux, + /usr/bin/claws-mail Ux, + /usr/bin/evolution Ux, + /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Ux, + /usr/bin/kmail Ux, + /usr/bin/mailody Ux, + /usr/bin/modest Ux, + /usr/bin/seamonkey Ux, + /usr/bin/sylpheed Ux, + /usr/bin/tkrat Ux, + + /usr/lib/thunderbird/thunderbird Ux, + + diff --git a/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal b/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal new file mode 100644 index 000000000..cd42fd5cb --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-gnome-terminal @@ -0,0 +1,9 @@ +# +# for allowing access to gnome-terminal +# + + #include + + # do not use ux or Ux here. Use at a minimum ix + /usr/bin/gnome-terminal ix, + diff --git a/profiles/apparmor.d/abstractions/ubuntu-konsole b/profiles/apparmor.d/abstractions/ubuntu-konsole new file mode 100644 index 000000000..0ce1a1922 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-konsole @@ -0,0 +1,16 @@ +# +# for allowing access to konsole +# + + #include + #include + capability sys_ptrace, + @{PROC}/[0-9]*/status r, + @{PROC}/[0-9]*/stat r, + @{PROC}/[0-9]*/cmdline r, + /var/run/utmp r, + /dev/ptmx rw, + + # do not use ux or Ux here. Use at a minimum ix + /usr/bin/konsole ix, + diff --git a/profiles/apparmor.d/abstractions/ubuntu-xterm b/profiles/apparmor.d/abstractions/ubuntu-xterm new file mode 100644 index 000000000..db3586c6d --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-xterm @@ -0,0 +1,12 @@ +# +# for allowing access to xterm +# + + #include + /dev/ptmx rw, + /var/run/utmp r, + /etc/X11/app-defaults/XTerm r, + + # do not use ux or Ux here. Use at a minimum ix + /usr/bin/xterm ix, + diff --git a/profiles/apparmor.d/apache2.d/phpsysinfo b/profiles/apparmor.d/apache2.d/phpsysinfo new file mode 100644 index 000000000..8170f09c8 --- /dev/null +++ b/profiles/apparmor.d/apache2.d/phpsysinfo @@ -0,0 +1,40 @@ +# Last Modified: Fri Sep 11 13:27:22 2009 +# Author: Marc Deslauriers + + ^phpsysinfo { + #include + #include + #include + + /bin/dash ixr, + /bin/df ixr, + /bin/mount ixr, + /bin/uname ixr, + /dev/bus/usb/ r, + /dev/bus/usb/** r, + /etc/debian_version r, + /etc/lsb-release r, + /etc/mtab r, + /etc/phpsysinfo/config.php r, + /proc/** r, + /proc/*/attr/current w, + /sys/bus/pci/devices/ r, + /sys/devices/** r, + /usr/bin/apt-cache ixr, + /usr/bin/dpkg-query ixr, + /usr/bin/lsb_release ixr, + /usr/bin/lspci ixr, + /usr/bin/who ixr, + /usr/sbin/lsusb ixr, + /usr/share/phpsysinfo/** r, + /var/lib/dpkg/available r, + /var/lib/dpkg/status r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + /var/lib/misc/usb.ids r, + /var/log/apache2/access.log w, + /var/log/apache2/error.log w, + /var/run/utmp rk, + /usr/share/misc/pci.ids r, + + } diff --git a/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 new file mode 100644 index 000000000..4b3a55813 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 @@ -0,0 +1,76 @@ +# Last Modified: Wed Sep 16 11:58:00 2009 +# Author: Marc Deslauriers +#include + +/usr/lib/apache2/mpm-prefork/apache2 { + + # This is profile is completely permissive. + # It is designed to target specific applications using mod_apparmor, + # hats, and the apache2.d directory. + # + # In order to enable this profile, you must: + # + # 1- Enable it: + # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 + # + # 2- Load the mod_apparmor module: + # sudo a2enmod apparmor + # + # 3- Place an appropriate profile containing the desired hat in the + # /etc/apparmor.d/apache2.d directory + # + # 4- Use the "AAHatName" apache configuration option to specify a hat to + # be used for a given apache directory or location directive + # + # + # There is an example profile for phpsysinfo included in the + # apparmor-profiles package. To try it: + # + # 1- Install the phpsysinfo and the apparmor-profiles packages: + # sudo apt-get install phpsysinfo apparmor-profiles + # + # 2- Enable the main apache2 profile + # sudo aa-enforce /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 + # + # 3- Configure apache with the following: + # + # AAHatName phpsysinfo + # + # + + #include + #include + + capability kill, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_tty_config, + + / rw, + /** mrwlkix, + + + ^DEFAULT_URI { + #include + #include + + / rw, + /** mrwlkix, + + } + + ^HANDLING_UNTRUSTED_INPUT { + #include + + / rw, + /** mrwlkix, + + } + + # This directory contains web application + # package-specific apparmor files. + + #include + +} diff --git a/profiles/apparmor.d/usr.lib.dovecot.deliver b/profiles/apparmor.d/usr.lib.dovecot.deliver new file mode 100644 index 000000000..5d95c7e48 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.dovecot.deliver @@ -0,0 +1,20 @@ +# Last Modified: Wed Jun 10 00:20:56 2009 +# Author: Dulmandakh Sukhbaatar +#include +/usr/lib/dovecot/deliver flags=(complain) { + #include + #include + + capability setgid, + capability setuid, + + /etc/dovecot/dovecot-postfix.conf r, + @{HOME} r, + @{HOME}/Maildir/ rw, + @{HOME}/Maildir/** klrw, + @{HOME}/mail/ rw, + @{HOME}/mail/* klrw, + @{HOME}/mail/.imap/** klrw, + /usr/lib/dovecot/deliver mr, + /var/mail/* klrw, +} diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth new file mode 100644 index 000000000..27eb8faaa --- /dev/null +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth @@ -0,0 +1,20 @@ +# Last Modified: Fri Oct 10 17:19:26 2008 +# Author: Kees Cook +#include +/usr/lib/dovecot/dovecot-auth flags=(complain) { + #include + #include + #include + #include + + capability setgid, + capability chown, + capability dac_override, + + /proc/*/mounts r, + /usr/lib/dovecot/dovecot-auth mr, + /var/run/utmp k, + /var/run/dovecot/** rw, + # required for postfix+dovecot integration + /var/spool/postfix/private/dovecot-auth w, +} diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap b/profiles/apparmor.d/usr.lib.dovecot.imap new file mode 100644 index 000000000..7cf048e5a --- /dev/null +++ b/profiles/apparmor.d/usr.lib.dovecot.imap @@ -0,0 +1,19 @@ +# Last Modified: Sat Oct 11 09:17:38 2008 +# Author: Kees Cook +#include +/usr/lib/dovecot/imap flags=(complain) { + #include + #include + + capability setgid, + capability setuid, + + @{HOME} r, + @{HOME}/Maildir/ rw, + @{HOME}/Maildir/** klrw, + @{HOME}/mail/ rw, + @{HOME}/mail/* klrw, + @{HOME}/mail/.imap/** klrw, + /usr/lib/dovecot/imap mr, + /var/mail/* klrw, +} diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap-login b/profiles/apparmor.d/usr.lib.dovecot.imap-login new file mode 100644 index 000000000..8c8ba5a6a --- /dev/null +++ b/profiles/apparmor.d/usr.lib.dovecot.imap-login @@ -0,0 +1,18 @@ +# Last Modified: Wed Oct 8 00:20:56 2008 +# Author: Kees Cook +#include +/usr/lib/dovecot/imap-login flags=(complain) { + #include + #include + #include + + capability setgid, + capability setuid, + capability sys_chroot, + + network inet stream, + + /usr/lib/dovecot/imap-login mr, + /var/run/dovecot/login/ r, + /var/run/dovecot/login/* rw, +} diff --git a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login new file mode 100644 index 000000000..c23e5ea8c --- /dev/null +++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login @@ -0,0 +1,18 @@ +# Last Modified: Wed Jun 10 00:20:56 2009 +# Author: Dulmandakh Sukhbaatar +#include +/usr/lib/dovecot/managesieve-login flags=(complain) { + #include + #include + #include + + capability setgid, + capability setuid, + capability sys_chroot, + + network inet stream, + + /usr/lib/dovecot/managesieve-login mr, + /var/run/dovecot/login/ r, + /var/run/dovecot/login/* rw, +} diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3 b/profiles/apparmor.d/usr.lib.dovecot.pop3 new file mode 100644 index 000000000..b9b323c37 --- /dev/null +++ b/profiles/apparmor.d/usr.lib.dovecot.pop3 @@ -0,0 +1,18 @@ +# Last Modified: Wed Oct 8 00:21:56 2008 +# Author: Kees Cook +#include +/usr/lib/dovecot/pop3 flags=(complain) { + #include + #include + + capability setgid, + capability setuid, + + /var/mail/* klrw, + @{HOME} r, + @{HOME}/mail/* klrw, + @{HOME}/mail/.imap/** klrw, + @{HOME}/Maildir/ rw, + @{HOME}/Maildir/** klrw, + /usr/lib/dovecot/pop3 mr, +} diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3-login b/profiles/apparmor.d/usr.lib.dovecot.pop3-login new file mode 100644 index 000000000..5cbafabfa --- /dev/null +++ b/profiles/apparmor.d/usr.lib.dovecot.pop3-login @@ -0,0 +1,17 @@ +# Last Modified: Wed Oct 8 00:20:57 2008 +# Author: Kees Cook +#include +/usr/lib/dovecot/pop3-login flags=(complain) { + #include + #include + #include + #include + + capability setgid, + capability setuid, + capability sys_chroot, + + /usr/lib/dovecot/pop3-login mr, + /var/run/dovecot/login/ r, + /var/run/dovecot/login/* rw, +} diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot new file mode 100644 index 000000000..c64fd3759 --- /dev/null +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -0,0 +1,33 @@ +# Last Modified: Fri Oct 10 17:20:34 2008 +# Author: Kees Cook +#include +/usr/sbin/dovecot flags=(complain) { + #include + #include + #include + #include + #include + + capability chown, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + + /etc/dovecot/** r, + /etc/mtab r, + /usr/lib/dovecot/dovecot-auth Pxmr, + /usr/lib/dovecot/imap Pxmr, + /usr/lib/dovecot/imap-login Pxmr, + /usr/lib/dovecot/pop3 Px, + /usr/lib/dovecot/pop3-login Pxmr, + # temporarily commented out while testing + #/usr/lib/dovecot/managesieve Px, + /usr/lib/dovecot/managesieve-login Pxmr, + /usr/lib/dovecot/ssl-build-param ixr, + /usr/sbin/dovecot mr, + /var/lib/dovecot/ w, + /var/lib/dovecot/* krw, + /var/run/dovecot/ rw, + /var/run/dovecot/** rw, +} diff --git a/profiles/apparmor.d/usr.sbin.nmbd b/profiles/apparmor.d/usr.sbin.nmbd new file mode 100644 index 000000000..ee98ae907 --- /dev/null +++ b/profiles/apparmor.d/usr.sbin.nmbd @@ -0,0 +1,19 @@ +# vim:syntax=apparmor +# Last Modified: Wed Jun 20 13:22:50 2007 +#include + +/usr/sbin/nmbd flags=(complain) { + #include + #include + #include + + capability net_bind_service, + + /usr/sbin/nmbd mr, + /var/cache/samba/browse.dat* rw, + /var/lib/samba/wins.dat* rw, + /var/run/samba/** rk, + /var/run/samba/nmbd.pid rw, + /var/log/samba/cores/nmbd/ rw, + /var/log/samba/cores/nmbd/** rw, +} diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd new file mode 100644 index 000000000..5c5369916 --- /dev/null +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -0,0 +1,38 @@ +# vim:syntax=apparmor +# Last Modified: Wed Jun 20 13:34:25 2007 +#include + +/usr/sbin/smbd flags=(complain) { + #include + #include + #include + #include + #include + #include + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_resource, + capability sys_tty_config, + + /etc/mtab r, + /etc/printcap r, + /proc/*/mounts r, + /usr/sbin/smbd mr, + /var/cache/samba/** rwk, + /var/cache/samba/printing/printers.tdb mrw, + /var/lib/samba/** rwk, + /var/lib/samba/printers/** rw, + /var/run/cups/cups.sock rw, + /var/run/dbus/system_bus_socket rw, + /var/run/samba/** rk, + /var/run/samba/smbd.pid rw, + /var/log/samba/cores/smbd/ rw, + /var/log/samba/cores/smbd/** rw, + /var/spool/samba/** rw, + + @{HOMEDIRS}/** lrw, +} diff --git a/profiles/apparmor/profiles/extras/usr.bin.skype b/profiles/apparmor/profiles/extras/usr.bin.skype index 3e92b70fe..bfb50ecc9 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.skype +++ b/profiles/apparmor/profiles/extras/usr.bin.skype @@ -1,35 +1,40 @@ -# Last Modified: Thu Aug 30 11:41:46 2007 +# Last Modified: Mon Oct 26 13:29:13 2009 # REPOSITORY: http://apparmor.test.opensuse.org/backend/api draglor 53 +# Additional profiling based on work by Андрей Калинин, LP: #226624 #include /usr/bin/skype flags=(complain) { #include #include #include + #include + #include #include + #include + #include + #include - /home/*/.ICEauthority r, - /home/*/.Skype/ rw, - /home/*/.Skype/** krw, - /home/*/.Xauthority r, - /home/*/.config/Trolltech.conf kr, - /home/*/.fontconfig/* r, - /home/*/.mozilla/ r, - /home/*/.mozilla/firefox/ r, - /home/*/.mozilla/firefox/*/ r, - /home/*/.mozilla/firefox/*/bookmarkbackups/ r, - /home/*/.mozilla/firefox/*/chrome/ r, - /home/*/.mozilla/firefox/*/extensions/ r, - /home/*/.mozilla/firefox/*/prefs.js r, - /proc/interrupts r, - /tmp/.ICE-unix/* w, - /tmp/.X11-unix/X0 w, - /usr/bin/skype mr, - /usr/lib/qt4/plugins/iconengines/ r, - /usr/lib/qt4/plugins/imageformats/ r, - /usr/lib/qt4/plugins/imageformats/*.so mr, - /usr/lib/qt4/plugins/inputmethods/ r, - /usr/share/X11/locale/** r, - /usr/share/icons/** r, - /usr/share/skype/sounds/*.wav kr, + # are these needed? + /proc/*/cmdline r, + /dev/video* mrw, /var/cache/libx11/compose/* r, + + # should this be in a separate KDE abstraction? + @{HOME}/.kde/share/config/kioslaverc r, + + /usr/bin/skype mr, + /usr/share/skype/** kr, + /usr/share/skype/sounds/*.wav kr, + + @{HOME}/.Skype/ rw, + @{HOME}/.Skype/** krw, + @{HOME}/.config/* kr, + + @{HOME}/.mozilla/ r, + @{HOME}/.mozilla/*/ r, + @{HOME}/.mozilla/*/*/ r, + @{HOME}/.mozilla/*/*/bookmarkbackups/ r, + @{HOME}/.mozilla/*/*/chrome/ r, + @{HOME}/.mozilla/*/*/extensions/ r, + @{HOME}/.mozilla/*/*/prefs.js r, } +