Opera 11.10 AppArmor profile

1. #Opera 11.10 AppArmor profile by Ryan Farmer
2. #include <tunables/global>
3.  
4. /usr/bin/opera {
5. #include <abstractions/audio>
6. #include <abstractions/cups-client>
7. #include <abstractions/dbus-session>
8. #include <abstractions/nameservice>
9. #include <abstractions/kde>
10. #include <abstractions/freedesktop.org>
11.  
12. #Allow networking
13. network inet stream,
14. network inet6 stream,
15. @{PROC}/[0-9]*/net/if_inet6 r,
16. @{PROC}/[0-9]*/net/ipv6_route r,
17.  
18. #For printing
19. /etc/cups/** rk,
20.  
21. #Capabilities
22. capability ipc_lock,
23. capability sys_ptrace,
24.  
25. #Enable user to do normal stuff with home folder, allow file locking in Pictures to enable Speed Dial background.
26. owner @{HOME}/Downloads/** ixrwk,
27. owner @{HOME}/Pictures/** rwk,
28. owner @{HOME}/Documents/** rw,
29. owner @{HOME}/Music/** rw,
30.  
31. #Stuff that Opera executes in normal operation.
32. /usr/lib/gstreamer*/gstreamer*/gst-plugin-scanner ix,
33. /usr/bin/kde4-config ix,
34. /usr/lib/opera/opera* ix,
35. /bin/dash ix,
36. /bin/grep ix,
37. /bin/uname ix,
38. /bin/ps ix,
39. /bin/sed ix,
40. /usr/bin/file ix,
41.  
42. #Stuff that needs to be read.
43. /dev/tty r,
44. /etc/fstab r,
45. /etc/magic r,
46. /etc/mtab r,
47. /etc/udev/udev.conf r,
48. /proc/*/cmdline r,
49. /proc/*/stat r,
50. /proc/*/status r,
51. /proc/version r,
52. /proc/modules r,
53. /proc/uptime r,
54. /proc/tty/drivers r,
55. /proc/sys/kernel/pid_max r,
56.  
57. #Stuff that needs to be mmapped
58. /lib/*-linux-gnu/** m,
59. /usr/lib** m,
60. /tmp/** m,
61.  
62. #We obviously need to let the Opera binary manipulate itself and read/write its own profile and read/file lock some global settings.
63. /etc/mailcap rk,
64. /etc/X11/cursors/** rk,
65. /etc/xdg/Trolltech.conf rk,
66. owner @{HOME}/.config/oxygen-gtk/* rw,
67. owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rwlk,
68. owner @{HOME}/.gstreamer-0.10/registry.* rwlk,
69. owner @{HOME}/.gtk-bookmarks r,
70. owner @{HOME}/.opera** rwlk,
71. owner @{HOME}/.kde/share/config/** rwk,
72. owner @{HOME}/.kde/share/apps/** rwlk,
73. owner @{HOME}/.config/ibus/bus/ w,
74. /usr/bin/opera ixrmk,
75. /usr/share/** rk,
76. /etc/gnome/defaults.list rk,
77. /usr/local/share/applications/mimeinfo.cache rk,
78. owner @{HOME}/.local/share/applications/mimeinfo.cache rk,
79. owner @{HOME}/.config/user-dirs.dirs rk,
80.  
81. #Adobe Trash likes to write to the video card for GPU accel and Opera will eventually anyway. Vomit a little in my mouth.
82. /dev/ati/** rw,
83. /dev/nvidia/** rw,
84. /proc/*/major r,
85.  
86. #Make webcam work in Adobe Trash and give Trash access to its settings folder. Vomit a little more in my mouth.
87. /dev/v4l/** r,
88. owner @{HOME}/.macromedia/** rw,
89. owner @{HOME}/.adobe/** rw,
90.  
91. #So importing Firefox profiles works
92. owner @{HOME}/.{firefox,mozilla}/** r,
93.  
94. #File Helpers
95. /usr/bin/kfmclient rix,
96. /usr/bin/kde-open rix,
97. /usr/bin/xdg-open rix,
98. /usr/bin/kioclient rix,
99.  
100. #Document Viewers
101. /usr/bin/okular rix,
102. /usr/bin/kate rix,
103. /usr/bin/kwrite rix,
104.  
105. #So instant messenger protocol helpers work.
106. /usr/bin/kopete rix,
107. /usr/bin/pidgin rix,
108.  
109. #Package installers for Debian/Ubuntu KDE and GTK
110.  
111. /usr/bin/gdebi* rix,
112.  
113. #This should support most bittorrent clients
114. /usr/bin/deluge rix,
115. /usr/bin/transmission* rix,
116. /usr/bin/*torrent rix,
117.  
118. #So browsing directories works without crashing the file viewer.
119. / r,
120. /**/ r,
121.  
122. }