Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Reduced Pidgin Profile
- #include <tunables/global>
- /usr/bin/pidgin {
- #include <abstractions/audio>
- #include <abstractions/aspell>
- #include <abstractions/base>
- #include <abstractions/bash>
- #include <abstractions/consoles>
- #include <abstractions/dbus>
- #include <abstractions/fonts>
- #include <abstractions/freedesktop.org>
- #include <abstractions/gnome>
- #include <abstractions/nameservice>
- #include <abstractions/user-tmp>
- #include <abstractions/ibus>
- # Allows access to .Xauthority??
- # #include <abstractions/X>
- # ???
- # #include <abstractions/launchpad-integration>
- # XXX Bleh. Allows arbitrary access to non-dotfile dirs
- # #include <abstractions/user-download>
- # Let's just do this instead:
- owner @{HOME}/Public/ r,
- owner @{HOME}/Public/* r,
- owner @{HOME}/Downloads/ r,
- owner @{HOME}/Downloads/* rw,
- # XXX: Wtf? arbitrary ptrace is pretty insanely powerful. Doesn't
- # seem required anyways. Let's just quietly kill it.
- deny capability sys_ptrace,
- deny @{HOME}/.bash* rw,
- deny @{HOME}/.cshrc rw,
- deny @{HOME}/.profile rw,
- deny @{HOME}/.ssh/* rw,
- deny @{HOME}/.zshrc rw,
- owner @{HOME}/.config/enchant/ rw,
- owner @{HOME}/.config/enchant/* rwk,
- owner @{HOME}/.local/share/icons/ r,
- owner @{HOME}/.local/share/mime/* r,
- owner @{HOME}/.gnome2/nautilus-sendto/** rw,
- owner @{HOME}/.gstreamer*/ rw,
- owner @{HOME}/.gstreamer*/** rw,
- owner @{HOME}/.pulse/ rw,
- owner @{HOME}/.pulse/** rw,
- owner @{HOME}/.pulse-cookie rwk,
- owner @{HOME}/.purple/ rw,
- owner @{HOME}/.purple/** rwk,
- /bin/dash rix,
- /dev/shm/ r,
- /dev/shm/* rw,
- /etc/ r,
- /etc/pulse/client.conf r,
- /etc/ssl/certs/ r,
- /etc/ssl/certs/** r, # Added for Ubuntu 11.10
- /etc/ssl/certs/ssl-cert-snakeoil.pem r,
- owner /tmp/orbit-*/* w,
- owner /tmp/pulse-*/* w,
- /usr/bin/gconftool-2 rix,
- /usr/bin/gnome-default-applications-properties ix,
- /usr/bin/gnome-network-preferences ix,
- /usr/bin/gnome-open rmix,
- /usr/bin/pidgin r,
- /usr/bin/xdg-open rmix,
- /usr/lib/ r,
- /usr/lib/firefox-*/firefox.sh Px,
- /usr/lib/libvisual-*/**.so rm,
- /usr/lib/pidgin/*.so rm,
- /usr/lib/purple*/*.so rm,
- /usr/share/ca-certificates/*/** r,
- /usr/share/enchant/enchant.ordering r,
- /usr/share/locale-langpack/** rm,
- /usr/share/purple/ca-certs/ r,
- /usr/share/purple/ca-certs/** r,
- /usr/share/myspell/dicts/ r,
- /usr/share/myspell/dicts/** r,
- /usr/share/tcltk/** r,
- # Added on ubuntu 11.10
- /usr/include/python2.7/pyconfig.h r,
- /usr/share/themes/** r,
- # For spell check on 11.10 (I guess it changed from myspell?)
- /usr/share/hunspell/ r,
- /usr/share/hunspell/** r,
- # Stop groveling in /proc, and STFU about it plz
- deny @{PROC}/** r,
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement