diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java new file mode 100644 index 000000000..782884c60 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java @@ -0,0 +1,104 @@ + # Java plugin + @{HOME}/.java/deployment/deployment.properties k, + /etc/java-*/ r, + /etc/java-*/** r, + /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> firefox_openjdk, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> firefox_java, + /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> firefox_java, + /usr/lib/j2*-ibm/jre/bin/java cx -> firefox_java, + + # Profile for the supported OpenJDK in Ubuntu. This doesn't require the + # unfortunate workarounds of the proprietary Javas, so have a separate + # profile. + profile firefox_openjdk { + #include + #include + #include + #include + #include + #include + #include + #include + + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + /etc/java-*/ r, + /etc/java-*/** r, + /etc/lsb-release r, + /etc/ssl/certs/java/* r, + /etc/timezone r, + + @{PROC}/[0-9]*/ r, + @{PROC}/[0-9]*/fd/ r, + @{PROC}/filesystems r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/** r, + /usr/share/** r, + /var/lib/dbus/machine-id r, + + /usr/bin/env ix, + /usr/lib/jvm/java-6-openjdk/jre/bin/java ix, + /usr/lib/jvm/java-6-openjdk/jre/lib/i386/client/classes.jsa m, + + # Why would java need this? + deny /usr/bin/gconftool-2 x, + + owner @{HOME}/ r, + owner @{HOME}/** rwk, + } + + # Profile for commercial Javas. These need workarounds to work right (eg + # Sun's forcing of an executable stack (LP: #535247)). + profile firefox_java { + #include + #include + #include + #include + #include + #include + #include + #include + + network inet stream, + network inet6 stream, + @{PROC}/[0-9]*/net/if_inet6 r, + @{PROC}/[0-9]*/net/ipv6_route r, + + /etc/java-*/ r, + /etc/java-*/** r, + /etc/lsb-release r, + /etc/ssl/certs/java/* r, + /etc/timezone r, + + @{PROC}/[0-9]*/ r, + @{PROC}/[0-9]*/fd/ r, + @{PROC}/filesystems r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/** r, + /usr/share/** r, + /var/lib/dbus/machine-id r, + + /usr/bin/env ix, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix, + /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m, + /usr/lib/j2*-ibm/jre/bin/java ix, + + # noisy, can't write here anyway + deny /etc/.java/ w, + deny /etc/.java/** w, + + deny /usr/bin/gconftool-2 x, + + owner @{HOME}/ r, + owner @{HOME}/** rwk, + + # These are seriously unfortunate, but required due to LP: #535247 + /etc/passwd m, + owner @{HOME}/.java/**/cache/** m, + owner /tmp/** m, + /usr/lib{,32,64}/jvm/**/*.jar mr, + /usr/share/fonts/** m, + } diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde new file mode 100644 index 000000000..296191b93 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde @@ -0,0 +1,2 @@ + #include + /usr/bin/kde4-config Ux, # TODO: use PUx when apparmor is adjusted diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto new file mode 100644 index 000000000..f5c107cd3 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/mailto @@ -0,0 +1,8 @@ + # for mailto: + #include + #include + + # Terminals for using console applications. These abstractions should ideally + # have 'ix' to restrct access to what only firefox is allowed to do + #include + diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia new file mode 100644 index 000000000..6989bae91 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia @@ -0,0 +1,33 @@ + # Pulseaudio + /usr/bin/pulseaudio ixr, + + # Image viewers + /usr/bin/eog PUxr, + /usr/bin/gimp* PUxr, + + #include + owner @{HOME}/.macromedia/** rw, + /opt/real/RealPlayer/mozilla/nphelix.so rm, + + # npviewer + /usr/lib/nspluginwrapper/i386/linux/npviewer{,.bin} ixr, + /var/lib/ r, + /var/lib/**/*.so mr, + /usr/bin/setarch ixr, + + # Bittorrent clients + #include + + # Mozplugger + /etc/mozpluggerrc r, + /usr/bin/mozplugger-helper PUxr, + + # Archivers + /usr/bin/ark PUxr, + /usr/bin/file-roller PUxr, + /usr/bin/xarchiver PUxr, + /usr/local/lib{,32,64}/*.so* mr, + + # TODO: check this + #include + /usr/bin/liferea-add-feed PUxr, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common new file mode 100644 index 000000000..aa5d927bd --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common @@ -0,0 +1,12 @@ + # + # Plugins/helpers + # + @{PROC}/[0-9]*/fd/ r, + /usr/lib/** rm, + /bin/bash ixr, + /bin/dash ixr, + /bin/grep ixr, + /bin/sed ixr, + /usr/bin/m4 ixr, + + diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity new file mode 100644 index 000000000..440cb00c2 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/productivity @@ -0,0 +1,15 @@ + # Openoffice.org + /usr/bin/ooffice PUxr, + /usr/bin/oocalc PUxr, + /usr/bin/oodraw PUxr, + /usr/bin/ooimpress PUxr, + /usr/bin/oowriter PUxr, + /usr/lib/openoffice/program/soffice PUxr, + + # PDFs + /usr/bin/evince PUxr, + /usr/bin/okular PUxr, + owner @{HOME}/.adobe/** rw, + + /opt/Adobe/Reader9/bin/acroread PUxr, + /opt/Adobe/Reader9/** r, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors new file mode 100644 index 000000000..94088e89b --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/text-editors @@ -0,0 +1,8 @@ + # Text editors (It's All Text [https://addons.mozilla.org/en-US/firefox/addon/4125]) + /usr/bin/emacsclient.emacs-snapshot PUxr, + /usr/bin/emacsclient.emacs22 PUxr, + /usr/bin/gedit PUxr, + /usr/bin/vim.gnome PUxr, + /usr/bin/leafpad PUxr, + /usr/bin/mousepad PUxr, + diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration new file mode 100644 index 000000000..699e0894d --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration @@ -0,0 +1,15 @@ + # Apport + /usr/bin/apport-bug PUx, + + # Package installation + /usr/bin/apturl PUxr, + /usr/bin/gnome-codec-install PUxr, + /usr/lib/gstreamer0.10/gstreamer-0.10/gst-plugin-scanner ix, + + # Input Methods + /usr/bin/scim PUx, + /usr/bin/scim-bridge PUx, + + # File managers + /usr/bin/nautilus PUxr, + /usr/bin/thunar PUxr, diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files new file mode 100644 index 000000000..f4dff7a21 --- /dev/null +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files @@ -0,0 +1,23 @@ + # Allow read to all files user has DAC access to and write access to all + # files owned by the user in $HOME. + @{HOME}/ r, + @{HOME}/** r, + owner @{HOME}/** w, + owner @{HOME}/Desktop/** r, + + # Do not allow read and/or write to particularly sensitive/problematic files + #include + audit deny @{HOME}/.ssh/** mrwkl, + audit deny @{HOME}/.gnome2_private/** mrwkl, + + # Comment this out if using gpg plugin/addons + audit deny @{HOME}/.gnupg/** mrwkl, + + # Allow read to all files user has DAC access to and write for files the user + # owns on removable media and filesystems. + /media/** r, + /mnt/** r, + /srv/** r, + owner /media/** w, + owner /mnt/** w, + owner /srv/** w,