API tools faq
paste
Advertisement
Guest User

Pidgin AppArmor Profile

a guest
Feb 12th, 2012
249
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.95 KB | None | 0 0
raw download clone embed print report
  1. # Reduced Pidgin Profile
  2.  
  3. #include <tunables/global>
  4. /usr/bin/pidgin {
  5. #include <abstractions/audio>
  6. #include <abstractions/aspell>
  7. #include <abstractions/base>
  8. #include <abstractions/bash>
  9. #include <abstractions/consoles>
  10. #include <abstractions/dbus>
  11. #include <abstractions/fonts>
  12. #include <abstractions/freedesktop.org>
  13. #include <abstractions/gnome>
  14. #include <abstractions/nameservice>
  15. #include <abstractions/user-tmp>
  16. #include <abstractions/ibus>
  17.  
  18. # Allows access to .Xauthority??
  19. # #include <abstractions/X>
  20.  
  21. # ???
  22. # #include <abstractions/launchpad-integration>
  23.  
  24. # XXX Bleh. Allows arbitrary access to non-dotfile dirs
  25. # #include <abstractions/user-download>
  26. # Let's just do this instead:
  27. owner @{HOME}/Public/ r,
  28. owner @{HOME}/Public/* r,
  29. owner @{HOME}/Downloads/ r,
  30. owner @{HOME}/Downloads/* rw,
  31. # XXX: Wtf? arbitrary ptrace is pretty insanely powerful. Doesn't
  32. # seem required anyways. Let's just quietly kill it.
  33. deny capability sys_ptrace,
  34.  
  35. deny @{HOME}/.bash* rw,
  36. deny @{HOME}/.cshrc rw,
  37. deny @{HOME}/.profile rw,
  38. deny @{HOME}/.ssh/* rw,
  39. deny @{HOME}/.zshrc rw,
  40.  
  41. owner @{HOME}/.config/enchant/ rw,
  42. owner @{HOME}/.config/enchant/* rwk,
  43. owner @{HOME}/.local/share/icons/ r,
  44. owner @{HOME}/.local/share/mime/* r,
  45. owner @{HOME}/.gnome2/nautilus-sendto/** rw,
  46. owner @{HOME}/.gstreamer*/ rw,
  47. owner @{HOME}/.gstreamer*/** rw,
  48. owner @{HOME}/.pulse/ rw,
  49. owner @{HOME}/.pulse/** rw,
  50. owner @{HOME}/.pulse-cookie rwk,
  51. owner @{HOME}/.purple/ rw,
  52. owner @{HOME}/.purple/** rwk,
  53.  
  54. /bin/dash rix,
  55.  
  56. /dev/shm/ r,
  57. /dev/shm/* rw,
  58.  
  59. /etc/ r,
  60. /etc/pulse/client.conf r,
  61. /etc/ssl/certs/ r,
  62. /etc/ssl/certs/** r, # Added for Ubuntu 11.10
  63. /etc/ssl/certs/ssl-cert-snakeoil.pem r,
  64.  
  65. owner /tmp/orbit-*/* w,
  66. owner /tmp/pulse-*/* w,
  67.  
  68. /usr/bin/gconftool-2 rix,
  69. /usr/bin/gnome-default-applications-properties ix,
  70. /usr/bin/gnome-network-preferences ix,
  71. /usr/bin/gnome-open rmix,
  72. /usr/bin/pidgin r,
  73. /usr/bin/xdg-open rmix,
  74.  
  75. /usr/lib/ r,
  76. /usr/lib/firefox-*/firefox.sh Px,
  77. /usr/lib/libvisual-*/**.so rm,
  78. /usr/lib/pidgin/*.so rm,
  79. /usr/lib/purple*/*.so rm,
  80.  
  81. /usr/share/ca-certificates/*/** r,
  82. /usr/share/enchant/enchant.ordering r,
  83. /usr/share/locale-langpack/** rm,
  84. /usr/share/purple/ca-certs/ r,
  85. /usr/share/purple/ca-certs/** r,
  86. /usr/share/myspell/dicts/ r,
  87. /usr/share/myspell/dicts/** r,
  88. /usr/share/tcltk/** r,
  89.  
  90. # Added on ubuntu 11.10
  91. /usr/include/python2.7/pyconfig.h r,
  92. /usr/share/themes/** r,
  93.  
  94. # For spell check on 11.10 (I guess it changed from myspell?)
  95. /usr/share/hunspell/ r,
  96. /usr/share/hunspell/** r,
  97.  
  98. # Stop groveling in /proc, and STFU about it plz
  99. deny @{PROC}/** r,
  100. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!