API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 9th, 2015
236
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 29.53 KB | None | 0 0
raw download clone embed print report
  1. # vim:syntax=apparmor
  2.  
  3. #include <tunables/global>
  4.  
  5. # Specified profile variables
  6. @{APP_APPNAME}="reminders"
  7. @{APP_ID_DBUS}="com_2eubuntu_2ereminders_5freminders_5f0_2e5_2elatest"
  8. @{APP_PKGNAME_DBUS}="com_2eubuntu_2ereminders"
  9. @{APP_PKGNAME}="com.ubuntu.reminders"
  10. @{APP_VERSION}="0.5.latest"
  11. @{CLICK_DIR}="{/custom/click,/opt/click.ubuntu.com,/usr/share/click/preinstalled}"
  12.  
  13. profile "com.ubuntu.reminders_reminders_0.5.latest" (attach_disconnected) {
  14. #include <abstractions/base>
  15. #include <abstractions/fonts>
  16. #include <abstractions/X>
  17.  
  18. # Apps fail to start when linked against newer curl/gnutls if we don't allow
  19. # this. (LP: #1350152)
  20. #include <abstractions/openssl>
  21.  
  22. # Needed by native GL applications on Mir
  23. owner /{,var/}run/user/*/mir_socket rw,
  24.  
  25. # Hardware-specific accesses
  26. #include "/usr/share/apparmor/hardware/graphics.d"
  27.  
  28. #
  29. # IPC rules common for all apps
  30. #
  31. # Allow connecting to session bus and where to connect to services
  32. #include <abstractions/dbus-session-strict>
  33.  
  34. # Allow connecting to system bus and where to connect to services. Put these
  35. # here so we don't need to repeat these rules in multiple places (actual
  36. # communications with any system services is mediated elsewhere). This does
  37. # allow apps to brute-force enumerate system services, but our system
  38. # services aren't a secret.
  39. #include <abstractions/dbus-strict>
  40.  
  41. # Unity shell
  42. dbus (send)
  43. bus=session
  44. path="/BottomBarVisibilityCommunicator"
  45. interface="org.freedesktop.DBus.{Introspectable,Properties}"
  46. peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator,label=unconfined),
  47. dbus (receive)
  48. bus=session
  49. path="/BottomBarVisibilityCommunicator"
  50. interface="com.canonical.Shell.BottomBarVisibilityCommunicator"
  51. peer=(label=unconfined),
  52.  
  53.  
  54. # Unity HUD
  55. dbus (send)
  56. bus=session
  57. path="/com/canonical/hud"
  58. interface="org.freedesktop.DBus.Properties"
  59. member="GetAll"
  60. peer=(label=unconfined),
  61. dbus (send)
  62. bus=session
  63. path="/com/canonical/hud"
  64. interface="com.canonical.hud"
  65. member="RegisterApplication"
  66. peer=(label=unconfined),
  67. dbus (receive, send)
  68. bus=session
  69. path=/com/canonical/hud/applications/@{APP_ID_DBUS}*
  70. peer=(label=unconfined),
  71. dbus (receive)
  72. bus=session
  73. path="/com/canonical/hud/publisher*"
  74. interface="org.gtk.Menus"
  75. member="Start"
  76. peer=(label=unconfined),
  77. dbus (receive)
  78. bus=session
  79. path="/com/canonical/hud/publisher*"
  80. interface="org.gtk.Menus"
  81. member="End"
  82. peer=(label=unconfined),
  83. dbus (send)
  84. bus=session
  85. path="/com/canonical/hud/publisher*"
  86. interface="org.gtk.Menus"
  87. member="Changed"
  88. peer=(name=org.freedesktop.DBus,label=unconfined),
  89. dbus (receive)
  90. bus=session
  91. path="/com/canonical/unity/actions"
  92. interface=org.gtk.Actions
  93. member={DescribeAll,Activate}
  94. peer=(label=unconfined),
  95. dbus (send)
  96. bus=session
  97. path="/com/canonical/unity/actions"
  98. interface=org.gtk.Actions
  99. member=Changed
  100. peer=(name=org.freedesktop.DBus,label=unconfined),
  101. dbus (receive)
  102. bus=session
  103. path="/context_*"
  104. interface=org.gtk.Actions
  105. member="DescribeAll"
  106. peer=(label=unconfined),
  107. dbus (receive)
  108. bus=session
  109. path="/com/canonical/hud"
  110. interface="com.canonical.hud"
  111. member="UpdatedQuery"
  112. peer=(label=unconfined),
  113. dbus (receive)
  114. bus=session
  115. interface="com.canonical.hud.Awareness"
  116. member="CheckAwareness"
  117. peer=(label=unconfined),
  118.  
  119. # on screen keyboard (OSK)
  120. dbus (send)
  121. bus=session
  122. path="/org/maliit/server/address"
  123. interface="org.freedesktop.DBus.Properties"
  124. member=Get
  125. peer=(name=org.maliit.server,label=unconfined),
  126. unix (connect, receive, send)
  127. type=stream
  128. peer=(addr="@/tmp/maliit-server/dbus-*"),
  129.  
  130. # clipboard (LP: #1371170)
  131. dbus (receive, send)
  132. bus=session
  133. path="/com/canonical/QtMir/Clipboard"
  134. interface="com.canonical.QtMir.Clipboard"
  135. peer=(label=unconfined),
  136. dbus (receive, send)
  137. bus=session
  138. path="/com/canonical/QtMir/Clipboard"
  139. interface="org.freedesktop.DBus.{Introspectable,Properties}"
  140. peer=(label=unconfined),
  141.  
  142. # usensors
  143. dbus (send)
  144. bus=session
  145. path=/com/canonical/usensord/haptic
  146. interface=com.canonical.usensord.haptic
  147. peer=(label=unconfined),
  148.  
  149. # URL dispatcher. All apps can call this since:
  150. # a) the dispatched application is launched out of process and not
  151. # controllable except via the specified URL
  152. # b) the list of url types is strictly controlled
  153. # c) the dispatched application will launch in the foreground over the
  154. # confined app
  155. dbus (send)
  156. bus=session
  157. path="/com/canonical/URLDispatcher"
  158. interface="com.canonical.URLDispatcher"
  159. member="DispatchURL"
  160. peer=(label=unconfined),
  161.  
  162. # This is needed when the app is already running and needs to be passed in
  163. # a URL to open. This is most often used with content-hub providers and
  164. # url-dispatcher, but is actually supported by Qt generally (though because
  165. # we don't allow the send a malicious app can't send this to another app).
  166. dbus (receive)
  167. bus=session
  168. path=/@{APP_ID_DBUS}
  169. interface="org.freedesktop.Application"
  170. member="Open"
  171. peer=(label=unconfined),
  172.  
  173. # This is needed for apps to interact with the Launcher (eg, for the counter)
  174. dbus (receive, send)
  175. bus=session
  176. path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
  177. peer=(label=unconfined),
  178.  
  179. # TODO: finetune this
  180. dbus (send)
  181. bus=session
  182. peer=(name=org.a11y.Bus,label=unconfined),
  183. dbus (receive)
  184. bus=session
  185. interface=org.a11y.atspi**
  186. peer=(label=unconfined),
  187. dbus (receive, send)
  188. bus=accessibility
  189. peer=(label=unconfined),
  190.  
  191. # Deny potentially dangerous access
  192. deny dbus bus=session
  193. path=/com/canonical/[Uu]nity/[Dd]ebug**,
  194. audit deny dbus bus=session
  195. interface="com.canonical.snapdecisions",
  196. deny dbus (send)
  197. bus=session
  198. interface="org.gnome.GConf.Server",
  199.  
  200. # LP: #1378823
  201. deny dbus (bind)
  202. name="org.freedesktop.Application",
  203.  
  204. #
  205. # end DBus rules common for all apps
  206. #
  207.  
  208. # Don't allow apps to access scope endpoints
  209. audit deny /run/user/[0-9]*/zmq/ rw,
  210. audit deny /run/user/[0-9]*/zmq/** rwk,
  211.  
  212. # Explicitly deny dangerous access
  213. audit deny /dev/input/** rw,
  214. deny /dev/fb0 rw, # don't use 'audit' since it is too noisy with the camera
  215.  
  216. # LP: #1378115
  217. deny /run/user/[0-9]*/dconf/user rw,
  218. deny owner @{HOME}/.config/dconf/user r,
  219. deny /custom/etc/dconf_profile r,
  220.  
  221. # LP: #1381620
  222. deny @{HOME}/.cache/QML/Apps/ r,
  223.  
  224. # subset of GNOME stuff
  225. /{,custom/}usr/share/icons/** r,
  226. /{,custom/}usr/share/themes/** r,
  227. /etc/pango/* r,
  228. /usr/lib{,32,64}/pango/** mr,
  229. /usr/lib/@{multiarch}/pango/** mr,
  230. /usr/share/icons/*/index.theme rk,
  231. /usr/share/unity/icons/** r,
  232. /usr/share/thumbnailer/icons/** r,
  233.  
  234. # /custom access
  235. /custom/xdg/data/themes/ r,
  236. /custom/xdg/data/themes/** r,
  237. /custom/usr/share/fonts/ r,
  238. /custom/usr/share/fonts/** r,
  239.  
  240. # ibus read accesses
  241. /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
  242. owner @{HOME}/.config/ibus/ r,
  243. owner @{HOME}/.config/ibus/bus/ r,
  244. owner @{HOME}/.config/ibus/bus/* r,
  245. deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
  246.  
  247. # subset of freedesktop.org
  248. /usr/share/mime/** r,
  249. owner @{HOME}/.local/share/mime/** r,
  250. owner @{HOME}/.config/user-dirs.dirs r,
  251.  
  252. /usr/share/glib*/schemas/gschemas.compiled r,
  253.  
  254. # various /proc entries (be careful to not allow things that can be used to
  255. # enumerate installed apps-- this will be easier once we have a PID kernel
  256. # var in AppArmor)
  257. @{PROC}/interrupts r,
  258. owner @{PROC}/cmdline r,
  259. owner @{PROC}/[0-9]*/auxv r,
  260. owner @{PROC}/[0-9]*/fd/ r,
  261. owner @{PROC}/[0-9]*/status r,
  262. owner @{PROC}/[0-9]*/task/ r,
  263. owner @{PROC}/[0-9]*/task/[0-9]*/ r,
  264. # FIXME: this leaks running process. Is it actually required? AppArmor kernel
  265. # var could solve this
  266. owner @{PROC}/[0-9]*/cmdline r,
  267.  
  268. # libhybris
  269. /{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
  270. /usr/lib/@{multiarch}/libhybris/*.so mr,
  271. /{,android/}system/build.prop r,
  272. # These libraries can be in any of:
  273. # /vendor/lib
  274. # /system/lib
  275. # /system/vendor/lib
  276. # /android/vendor/lib
  277. # /android/system/lib
  278. # /android/system/vendor/lib
  279. /{,android/}vendor/lib/** r,
  280. /{,android/}vendor/lib/**.so m,
  281. /{,android/}system/lib/** r,
  282. /{,android/}system/lib/**.so m,
  283. /{,android/}system/vendor/lib/** r,
  284. /{,android/}system/vendor/lib/**.so m,
  285.  
  286. # attach_disconnected path
  287. /dev/socket/property_service rw,
  288.  
  289. # Android logging triggered by platform. Can safely deny
  290. # LP: #1197124
  291. deny /dev/log_main w,
  292. deny /dev/log_radio w,
  293. deny /dev/log_events w,
  294. deny /dev/log_system w,
  295. # LP: #1352432
  296. deny /dev/xLog w,
  297. deny @{PROC}/xlog/ r,
  298. deny @{PROC}/xlog/* rw,
  299.  
  300. # Lttng tracing. Can safely deny. LP: #1260491
  301. deny /{,var/}run/shm/lttng-ust-* r,
  302.  
  303. # TODO: investigate
  304. deny /dev/cpuctl/apps/tasks w,
  305. deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
  306.  
  307. /sys/devices/system/cpu/ r,
  308. /sys/kernel/debug/tracing/trace_marker w,
  309. # LP: #1286162
  310. /etc/udev/udev.conf r,
  311. /sys/devices/pci[0-9]*/**/uevent r,
  312. # Not required, but noisy
  313. deny /run/udev/data/** r,
  314.  
  315. #
  316. # thumbnailing helper
  317. #
  318. /usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
  319. deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
  320. # FIXME: this leaks running process. AppArmor kernel var could solve this
  321. owner @{PROC}/[0-9]*/attr/current r,
  322.  
  323. #
  324. # apps may always use vibrations
  325. #
  326. /sys/class/timed_output/vibrator/enable rw,
  327. /sys/devices/virtual/timed_output/vibrator/enable rw,
  328.  
  329. #
  330. # apps may always use the accelerometer and orientation sensor
  331. #
  332. /etc/xdg/QtProject/Sensors.conf r,
  333.  
  334. #
  335. # qmlscene
  336. #
  337. /usr/share/qtchooser/ r,
  338. /usr/share/qtchooser/** r,
  339. /usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
  340.  
  341. owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
  342. audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
  343.  
  344. #
  345. # cordova-ubuntu
  346. #
  347. /usr/share/cordova-ubuntu*/ r,
  348. /usr/share/cordova-ubuntu*/** r,
  349.  
  350. #
  351. # ubuntu-html5-app-launcher
  352. #
  353. /usr/share/ubuntu-html5-app-launcher/ r,
  354. /usr/share/ubuntu-html5-app-launcher/** r,
  355. /usr/share/ubuntu-html5-ui-toolkit/ r,
  356. /usr/share/ubuntu-html5-ui-toolkit/** r,
  357.  
  358. # Launching under upstart requires this
  359. /usr/bin/qtchooser rmix,
  360. /usr/bin/cordova-ubuntu* rmix,
  361. /usr/bin/ubuntu-html5-app-launcher rmix,
  362.  
  363. # qmlscene webview
  364. # TODO: these should go away once /usr/bin/ubuntu-html5-app-launcher uses
  365. # Oxide
  366. /usr/lib/@{multiarch}/qt5/libexec/QtWebProcess rmix,
  367. /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/ r,
  368. /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r,
  369. /usr/share/qtdeclarative5-ubuntu-web-plugin/ r,
  370. /usr/share/qtdeclarative5-ubuntu-web-plugin/** r,
  371.  
  372. /usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
  373.  
  374. # GStreamer binary registry - hybris pulls this in for everything now, not
  375. # just audio
  376. owner @{HOME}/.gstreamer*/registry.*.bin* r,
  377. deny @{HOME}/.gstreamer*/registry.*.bin* w,
  378. deny @{HOME}/.gstreamer*/ w,
  379. owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
  380. deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
  381. deny @{HOME}/.cache/gstreamer*/ w,
  382. # gstreamer writes JIT compiled code in the form of orcexec.* files. Various
  383. # locations are tried so silence the ones we won't permit anyway
  384. deny /tmp/orcexec* w,
  385. deny /{,var/}run/user/*/orcexec* w,
  386. deny @{HOME}/orcexec* w,
  387.  
  388. /{,android/}system/etc/media_codecs.xml r,
  389. /etc/wildmidi/wildmidi.cfg r,
  390.  
  391. # Don't allow plugins in webviews for now
  392. deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
  393.  
  394. # cordova-ubuntu wants to runs lsb_release, which is a python program and we
  395. # don't want to give access to that. cordova-ubuntu will fallback to
  396. # examining /etc/lsb-release directly, which is ok. If needed, we can lift
  397. # the denial and ship a profile for lsb_release and add a Pxr rule
  398. deny /usr/bin/lsb_release rx,
  399. /etc/ r,
  400. /etc/lsb-release r,
  401.  
  402. #
  403. # Application install dirs
  404. #
  405.  
  406. # Click packages
  407. @{CLICK_DIR}/@{APP_PKGNAME}/ r,
  408. @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
  409. @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
  410.  
  411. # Packages shipped as debs have their install directory in /usr/share
  412. /usr/share/@{APP_PKGNAME}/ r,
  413. /usr/share/@{APP_PKGNAME}/** mrklix,
  414.  
  415. #
  416. # Application writable dirs
  417. #
  418.  
  419. # FIXME: LP: #1197060, LP: #1377648 (don't remove until qtwebkit is off the
  420. # image)
  421. owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
  422.  
  423. # FIXME: LP: #1370218
  424. owner /{run,dev}/shm/shmfd-* rwk,
  425.  
  426. # Allow writes to various (application-specific) XDG directories
  427. owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
  428. owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
  429. owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
  430. owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
  431. owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
  432. owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
  433. owner /{,var/}run/user/*/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
  434. owner /{,var/}run/user/*/@{APP_PKGNAME}/** mrwkl,
  435. owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR (for TMPDIR)
  436. owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
  437.  
  438. # Allow writes to application-specific QML cache directories
  439. owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
  440. owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
  441.  
  442. # No abstractions specified
  443.  
  444. # Rules specified via policy groups
  445. # Description: Can use Online Accounts.
  446. # Usage: common
  447. /usr/share/accounts/** r,
  448.  
  449. dbus (receive, send)
  450. bus=session
  451. path=/com/google/code/AccountsSSO/SingleSignOn
  452. interface=com.google.code.AccountsSSO.SingleSignOn.AuthService
  453. peer=(label=unconfined),
  454. dbus (receive, send)
  455. bus=session
  456. path=/com/google/code/AccountsSSO/SingleSignOn{,/**}
  457. interface=org.freedesktop.DBus.Properties
  458. peer=(label=unconfined),
  459. dbus (receive, send)
  460. bus=session
  461. interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession
  462. peer=(label=unconfined),
  463. dbus (receive, send)
  464. bus=session
  465. interface=com.google.code.AccountsSSO.SingleSignOn.Identity
  466. peer=(label=unconfined),
  467. dbus (receive, send)
  468. bus=session
  469. interface=com.ubuntu.OnlineAccountsUi
  470. peer=(label=unconfined),
  471. dbus (receive)
  472. bus=session
  473. interface=com.google.code.AccountsSSO.Accounts
  474. peer=(label=unconfined),
  475.  
  476. # p2p support uses a named unix socket
  477. owner /{,var/}run/user/*/signond/socket w,
  478.  
  479. # read access to accounts.db is ok
  480. owner @{HOME}/.config/libaccounts-glib/accounts.db* rk,
  481. # FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
  482. # ro. This can go away once an access() LSM hook is implemented. For
  483. # now, just silence the denial.
  484. deny @{HOME}/.config/libaccounts-glib/accounts.db* w,
  485.  
  486. # apps will dereference the symlinks in this directory to access their own
  487. # accounts provider (which is in an app-specific directory). This is not an
  488. # information leak on its own because users of this policy group have read
  489. # access to accounts.db.
  490. owner @{HOME}/.local/share/accounts/** r,
  491.  
  492. # Note: this API should *not* be allowed to normal apps, only the
  493. # webapp-container. As such, we can't explicitly deny access here but it is
  494. # listed as a comment to make sure it isn't accidentally added in the future.
  495. # audit deny dbus (receive, send)
  496. # bus=session
  497. # interface=com.nokia.singlesignonui
  498. # member=cookiesForIdentity,
  499.  
  500. # Description: Can play audio (allows playing remote content via media-hub)
  501. # Usage: common
  502. /dev/ashmem rw,
  503.  
  504. # Don't include the audio abstraction and enforce use of pulse instead
  505. /etc/pulse/ r,
  506. /etc/pulse/* r,
  507. /{run,dev}/shm/ r, # could allow enumerating apps
  508. owner /{run,dev}/shm/pulse-shm* rk,
  509. deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
  510. owner @{HOME}/.pulse-cookie rk,
  511. owner @{HOME}/.pulse/ r,
  512. owner @{HOME}/.pulse/* rk,
  513. owner /{,var/}run/user/*/pulse/ r,
  514. owner /{,var/}run/user/*/pulse/ w, # shouldn't be needed, but rmdir fail otherwise
  515. owner /{,var/}run/user/*/pulse/native rwk, # cli and dbus-socket should not be
  516. # used by confined apps
  517. owner @{HOME}/.config/pulse/cookie rk,
  518.  
  519. # Force the use of pulseaudio and silence any denials for ALSA
  520. deny /usr/share/alsa/alsa.conf r,
  521. deny /dev/snd/ r,
  522. deny /dev/snd/* r,
  523.  
  524. # Allow communications with media-hub
  525. dbus (receive, send)
  526. bus=session
  527. path=/core/ubuntu/media/Service{,/**}
  528. peer=(label="{unconfined,/usr/bin/media-hub-server}"),
  529.  
  530. # Allow communications with thumbnailer for retrieving album art
  531. dbus (send)
  532. bus=session
  533. interface="org.freedesktop.DBus.Introspectable"
  534. path="/com/canonical/Thumbnailer"
  535. member="Introspect"
  536. peer=(label=unconfined),
  537. dbus (send)
  538. bus=session
  539. path="/com/canonical/Thumbnailer"
  540. member={GetAlbumArt,GetArtistArt}
  541. peer=(label=unconfined),
  542.  
  543. # Allow communications with mediascanner2
  544. dbus (send)
  545. bus=session
  546. path=/com/canonical/MediaScanner2
  547. interface=com.canonical.MediaScanner2
  548. peer=(label="{unconfined,/usr/bin/mediascanner-service*}"),
  549. dbus (receive)
  550. bus=session
  551. peer=(label="{unconfined,/usr/bin/mediascanner-service*}"),
  552.  
  553. # sound files on the device
  554. /usr/share/sounds/ r,
  555. /usr/share/sounds/** r,
  556. /custom/usr/share/sounds/ r,
  557. /custom/usr/share/sounds/** r,
  558.  
  559. # Hardware-specific accesses
  560. #include "/usr/share/apparmor/hardware/audio.d"
  561.  
  562. # Description: Can request/import data from other applications
  563. # Usage: common
  564. dbus (send)
  565. bus=session
  566. interface=org.freedesktop.DBus
  567. path=/org/freedesktop/DBus
  568. member=RequestName
  569. peer=(label=unconfined),
  570. dbus (bind)
  571. bus=session
  572. name=com.ubuntu.content.handler.@{APP_ID_DBUS},
  573. dbus (receive)
  574. bus=session
  575. path=/com/ubuntu/content/handler/@{APP_ID_DBUS}
  576. interface=com.ubuntu.content.dbus.Handler
  577. peer=(label=unconfined),
  578. dbus (receive, send)
  579. bus=session
  580. interface=com.ubuntu.content.dbus.Transfer
  581. path=/transfers/@{APP_ID_DBUS}/import/*
  582. peer=(label=unconfined),
  583. dbus (receive, send)
  584. bus=session
  585. interface=com.ubuntu.content.dbus.Service
  586. peer=(label=unconfined),
  587.  
  588. # LP: #1293771
  589. # Since fd delegation doesn't exist in the form that we need it at this time,
  590. # content-hub will create hard links in ~/.cache/@{APP_PKGNAME}/HubIncoming/
  591. # for volatile data. As such, apps should not have write access to anything in
  592. # this directory otherwise they would be able to change the source content.
  593. deny @{HOME}/.cache/@{APP_PKGNAME}/HubIncoming/** w,
  594.  
  595. # Description: Can access the network
  596. # Usage: common
  597. #include <abstractions/nameservice>
  598.  
  599. # DownloadManager
  600. dbus (send)
  601. bus=session
  602. interface="org.freedesktop.DBus.Introspectable"
  603. path=/
  604. member=Introspect
  605. peer=(label=unconfined),
  606. dbus (send)
  607. bus=session
  608. interface="org.freedesktop.DBus.Introspectable"
  609. path=/com/canonical/applications/download/**
  610. member=Introspect
  611. peer=(label=unconfined),
  612. # Allow DownloadManager to send us signals, etc
  613. dbus (receive)
  614. bus=session
  615. interface=com.canonical.applications.Download{,er}Manager
  616. peer=(label=unconfined),
  617. # Restrict apps to just their own downloads
  618. owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/ rw,
  619. owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/** rwk,
  620. dbus (receive, send)
  621. bus=session
  622. path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
  623. interface=com.canonical.applications.Download
  624. peer=(label=unconfined),
  625. dbus (receive, send)
  626. bus=session
  627. path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
  628. interface=com.canonical.applications.GroupDownload
  629. peer=(label=unconfined),
  630. # Be explicit about the allowed members we can send to
  631. dbus (send)
  632. bus=session
  633. path=/
  634. interface=com.canonical.applications.DownloadManager
  635. member=createDownload
  636. peer=(label=unconfined),
  637. dbus (send)
  638. bus=session
  639. path=/
  640. interface=com.canonical.applications.DownloadManager
  641. member=createDownloadGroup
  642. peer=(label=unconfined),
  643. dbus (send)
  644. bus=session
  645. path=/
  646. interface=com.canonical.applications.DownloadManager
  647. member=getAllDownloads
  648. peer=(label=unconfined),
  649. dbus (send)
  650. bus=session
  651. path=/
  652. interface=com.canonical.applications.DownloadManager
  653. member=getAllDownloadsWithMetadata
  654. peer=(label=unconfined),
  655. dbus (send)
  656. bus=session
  657. path=/
  658. interface=com.canonical.applications.DownloadManager
  659. member=defaultThrottle
  660. peer=(label=unconfined),
  661. dbus (send)
  662. bus=session
  663. path=/
  664. interface=com.canonical.applications.DownloadManager
  665. member=isGSMDownloadAllowed
  666. peer=(label=unconfined),
  667. # Explicitly deny DownloadManager APIs apps shouldn't have access to in order
  668. # to make sure they aren't accidentally added in the future (see LP: #1277578
  669. # for details)
  670. audit deny dbus (send)
  671. bus=session
  672. interface=com.canonical.applications.DownloadManager
  673. member=allowGSMDownload,
  674. audit deny dbus (send)
  675. bus=session
  676. interface=com.canonical.applications.DownloadManager
  677. member=createMmsDownload,
  678. audit deny dbus (send)
  679. bus=session
  680. interface=com.canonical.applications.DownloadManager
  681. member=exit,
  682. audit deny dbus (send)
  683. bus=session
  684. interface=com.canonical.applications.DownloadManager
  685. member=setDefaultThrottle,
  686.  
  687. # We want to explicitly deny access to NetworkManager because its DBus API
  688. # gives away too much
  689. deny dbus (receive, send)
  690. bus=system
  691. path=/org/freedesktop/NetworkManager,
  692. deny dbus (receive, send)
  693. bus=system
  694. peer=(name=org.freedesktop.NetworkManager),
  695.  
  696. # Do the same for ofono (LP: #1226844)
  697. deny dbus (receive, send)
  698. bus=system
  699. interface="org.ofono.Manager",
  700.  
  701. # Description: Can use the UbuntuWebview
  702. # Usage: common
  703.  
  704. # UbuntuWebview
  705. /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/ r,
  706. /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/** r,
  707. /usr/share/qtdeclarative5-ubuntu-web-plugin/ r,
  708. /usr/share/qtdeclarative5-ubuntu-web-plugin/** r,
  709.  
  710. ptrace (read, trace) peer=@{profile_name},
  711. signal peer=@{profile_name}//oxide_helper,
  712.  
  713. # Allow communicating with sandbox
  714. unix (receive, send) peer=(label=@{profile_name}//oxide_helper),
  715.  
  716. # LP: #1260090 - when this bug is fixed, oxide_renderer can become a
  717. # child profile of this profile, then we'll use Cx here and Px in
  718. # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
  719. # as standalone profiles and we would just Px/px to them, but this is not
  720. # practical because oxide-renderer needs to access app-specific files
  721. # and shm files (when 1260103 is fixed). For now, have a single helper
  722. # profile for chrome-sandbox and oxide-renderer.
  723. /usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cxmr -> oxide_helper,
  724. /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cxmr -> oxide_helper,
  725.  
  726. /usr/lib/@{multiarch}/oxide-qt/* r,
  727. @{PROC}/[0-9]*/task/[0-9]*/stat r,
  728.  
  729. # LP: #1275917 (not a problem, but unnecessary)
  730. /usr/share/glib-2.0/schemas/gschemas.compiled r,
  731.  
  732. # LP: #1260044
  733. deny /usr/lib/@{multiarch}/qt5/bin/locales/ w,
  734. deny /usr/bin/locales/ w,
  735.  
  736. # LP: #1260101
  737. deny /run/user/[0-9]*/dconf/user rw,
  738. deny owner @{HOME}/.config/dconf/user r,
  739. deny /custom/etc/dconf_profile r,
  740.  
  741. # LP: #1357371 (webapp-container needs corresponding 'bind' call on
  742. # org.freedesktop.Application, which we block elsewhere. webapp-container
  743. # shouldn't be doing this under confinement, but we allow this rule in
  744. # content_exchange, so just allow it to avoid confusion)
  745. dbus (send)
  746. bus=session
  747. path=/org/freedesktop/DBus
  748. interface=org.freedesktop.DBus
  749. member=RequestName
  750. peer=(label=unconfined),
  751.  
  752. # LP: #1260048 - only allow 'r' for now, since 'w' allow for db poisoning
  753. owner @{HOME}/.pki/nssdb/ r,
  754. owner @{HOME}/.pki/nssdb/** rk,
  755. deny @{HOME}/.pki/nssdb/ w,
  756. deny @{HOME}/.pki/nssdb/** w,
  757.  
  758. # LP: #
  759. /sys/bus/pci/devices/ r,
  760. /sys/devices/pci[0-9]*/**/class r,
  761. /sys/devices/pci[0-9]*/**/device r,
  762. /sys/devices/pci[0-9]*/**/irq r,
  763. /sys/devices/pci[0-9]*/**/resource r,
  764. /sys/devices/pci[0-9]*/**/vendor r,
  765. /sys/devices/pci[0-9]*/**/removable r,
  766. /sys/devices/pci[0-9]*/**/uevent r,
  767. /sys/devices/pci[0-9]*/**/block/**/size r,
  768. /etc/udev/udev.conf r,
  769.  
  770. # LP: #1260098
  771. /tmp/ r,
  772. /var/tmp/ r,
  773.  
  774. # LP: #1260103
  775. owner /run/shm/.org.chromium.Chromium.* rwk,
  776.  
  777. # LP: #1260090 - when this bug is fixed, oxide_renderer can become a
  778. # child profile of this profile, then we can use Cx here and Px in
  779. # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
  780. # as standalone profiles and we would just Px/px to them, but this is not
  781. # practical because oxide-renderer needs to access app-specific files
  782. # and shm files (when 1260103 is fixed). For now, have a single helper
  783. # profile for chrome-sandbox and oxide-renderer.
  784. profile oxide_helper (attach_disconnected) {
  785. #
  786. # Shared by chrome-sandbox and oxide-helper
  787. #
  788. #include <abstractions/base>
  789.  
  790. # So long as we don't give /dev/binder, this should be 'ok'
  791. /{,android/}vendor/lib/*.so mr,
  792. /{,android/}system/lib/*.so mr,
  793. /{,android/}system/vendor/lib/*.so mr,
  794. /{,android/}system/build.prop r,
  795. /dev/socket/property_service rw, # attach_disconnected path
  796.  
  797. @{PROC}/ r,
  798. @{PROC}/[0-9]*/ r,
  799. @{PROC}/[0-9]*/fd/ r,
  800. @{PROC}/[0-9]*/auxv r,
  801. owner @{PROC}/[0-9]*/status r,
  802. owner @{PROC}/[0-9]*/task/ r,
  803. owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  804.  
  805. #
  806. # chrome-sandbox specific
  807. #
  808. # Required for dropping into PID namespace. Keep in mind that until the
  809. # process drops this capability it can escape confinement, but once it
  810. # drops CAP_SYS_ADMIN we are ok.
  811. capability sys_admin,
  812.  
  813. # All of these are for sanely dropping from root and chrooting
  814. capability chown,
  815. capability fsetid,
  816. capability setgid,
  817. capability setuid,
  818. capability dac_override,
  819. capability dac_read_search,
  820. capability sys_chroot,
  821.  
  822. capability sys_ptrace,
  823. ptrace (read, readby),
  824. signal peer=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION},
  825.  
  826. unix peer=(label=@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}),
  827. unix (create),
  828. unix peer=(label=@{profile_name}),
  829. unix (getattr, getopt, setopt, shutdown),
  830.  
  831. # LP: #1260115
  832. deny @{PROC}/[0-9]*/oom_adj w,
  833. deny @{PROC}/[0-9]*/oom_score_adj w,
  834.  
  835. /usr/lib/@{multiarch}/oxide-qt/oxide-renderer rmix,
  836.  
  837. #
  838. # oxide-renderer specific
  839. #
  840. #include <abstractions/fonts>
  841. @{PROC}/sys/kernel/shmmax r,
  842. @{PROC}/sys/kernel/yama/ptrace_scope r,
  843. deny /etc/passwd r,
  844. deny /tmp/ r,
  845. deny /var/tmp/ r,
  846.  
  847. /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox rmix,
  848.  
  849. # The renderer may need access to app-specific files, such as WebCore
  850. # databases
  851. owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw,
  852. owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwkl,
  853.  
  854. # LP: #1260103
  855. /run/shm/.org.chromium.Chromium.* rwk,
  856.  
  857. # LP: #1260048
  858. owner @{HOME}/.pki/nssdb/ rw,
  859. owner @{HOME}/.pki/nssdb/** rwk,
  860.  
  861. # LP: #1260044
  862. deny /usr/lib/@{multiarch}/oxide-qt/locales/ w,
  863. }
  864.  
  865. # No read paths specified
  866.  
  867. # No write paths specified
  868. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!