From 7377aed01627d3953aae9443601a77af12b7f2b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 6 May 2022 21:29:06 +0100 Subject: [PATCH] fix: remove absraction from upstream. --- apparmor.d/abstractions/evince | 123 --------------------------------- 1 file changed, 123 deletions(-) delete mode 100644 apparmor.d/abstractions/evince diff --git a/apparmor.d/abstractions/evince b/apparmor.d/abstractions/evince deleted file mode 100644 index bcfd6886c..000000000 --- a/apparmor.d/abstractions/evince +++ /dev/null @@ -1,123 +0,0 @@ -# vim:syntax=apparmor -# -# abstraction used by evince binaries -# - - include - include - include - - @{PROC}/[0-9]*/fd/ r, - @{PROC}/[0-9]*/mountinfo r, - owner @{PROC}/[0-9]*/auxv r, - owner @{PROC}/[0-9]*/status r, - - # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed. - # Possibly move to an abstraction if anything else needs it. - deny /run/udev/data/** r, - - # move out to the gnome abstraction if anyone else needs these - /dev/.udev/{data,db}/* r, - /etc/udev/udev.conf r, - /sys/devices/**/block/**/uevent r, - - # apport - /etc/default/apport r, - - # XFCE - /etc/xfce4/defaults.list r, - - # Lubuntu - /etc/xdg/lubuntu/applications/defaults.list r, - - # evince specific - /etc/ r, - /etc/fstab r, - /etc/texmf/ r, - /etc/texmf/** r, - /etc/xpdf/* r, - owner @{user_config_dirs}/evince/ rw, - owner @{user_config_dirs}/evince/** rwkl, - - /usr/bin/gs-esp ixr, - /usr/bin/mktexpk Cx -> sanitized_helper, - /usr/bin/mktextfm Cx -> sanitized_helper, - /usr/bin/dvipdfm Cx -> sanitized_helper, - /usr/bin/dvipdfmx Cx -> sanitized_helper, - - # supported archivers - /bin/gzip ixr, - /bin/bzip2 ixr, - /usr/bin/unrar* ixr, - /usr/bin/unzip ixr, - /usr/bin/7zr ixr, - /usr/lib/p7zip/7zr ixr, - /usr/bin/7za ixr, - /usr/lib/p7zip/7za ixr, - /usr/bin/zipnote ixr, - /bin/tar ixr, - /usr/bin/xz ixr, - - # allow read access to anything in /usr/share, for plugins and input methods - /usr/local/share/** r, - /usr/share/** r, - /usr/lib/ghostscript/** mr, - /var/lib/ghostscript/** r, - /var/lib/texmf/** r, - - # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow - # read for all supported file formats - /**.[bB][mM][pP] r, - /**.[dD][jJ][vV][uU] r, - /**.[dD][vV][iI] r, - /**.[gG][iI][fF] r, - /**.[jJ][pP][gG] r, - /**.[jJ][pP][eE][gG] r, - /**.[oO][dD][pP] r, - /**.[fFpP][dD][fF] r, - /**.[pP][nN][mM] r, - /**.[pP][nN][gG] r, - /**.[pP][sS] r, - /**.[eE][pP][sS] r, - /**.[eE][pP][sS][fFiI23] r, - /**.[tT][iI][fF] r, - /**.[tT][iI][fF][fF] r, - /**.[xX][pP][mM] r, - /**.[gG][zZ] r, - /**.[bB][zZ]2 r, - /**.[cC][bB][rRzZ7] r, - /**.[xX][zZ] r, - - # Use abstractions/private-files instead of abstractions/private-files-strict - # and add the sensitive files manually to work around LP: #451422. The goal - # is to disallow access to the .mozilla folder in general, but to allow - # access to the Cache directory, which the browser may tell evince to open - # from directly. - - include - audit deny @{HOME}/@{XDG_GPG_DIR}/** mrwkl, - audit deny @{HOME}/@{XDG_SSH_DIR}/** mrwkl, - audit deny @{HOME}/.gnome2_private/** mrwkl, - audit deny @{HOME}/.gnome2/keyrings/** mrwkl, - audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl, - audit deny @{HOME}/.pki/nssdb/** w, - - audit deny @{HOME}/.mozilla/*/*/* mrwkl, - audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl, - audit deny @{HOME}/.mozilla/**/chrome/** mrwkl, - audit deny @{HOME}/.mozilla/**/extensions/** mrwkl, - audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl, - - audit deny @{user_config_dirs}/chromium/** mrwkl, - audit deny @{HOME}/.evolution/** mrwkl, - audit deny @{user_config_dirs}/evolution/** mrwkl, - audit deny @{HOME}/.kde/share/config/** mrwkl, - audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl, - audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl, - audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl, - - # When LP: #451422 is fixed, change the above to simply be: - include - #owner @{HOME}/.mozilla/**/*Cache/* r, - - include if exists