apparmor.d -> profiles

2021-04-01 16:02:59 +01:00 · 2021-04-01 16:02:59 +01:00 · e9b8e62fcd
commit e9b8e62fcd
parent c408a878b7
726 changed files with 0 additions and 0 deletions
--- a/profiles/usr.bin.pidgin
+++ b/profiles/usr.bin.pidgin
@ -0,0 +1,87 @@
+# vim:syntax=apparmor
+
+include <tunables/global>
+
+/usr/bin/pidgin {
+  include <abstractions/audio>
+  include <abstractions/base>
+  include <abstractions/bash>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/dconf>
+  include <abstractions/enchant>
+  include <abstractions/gnome>
+  include <abstractions/gstreamer>
+  include <abstractions/ibus>
+  include <abstractions/nameservice>
+  include <abstractions/private-files-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/ubuntu-browsers>
+  include <abstractions/ubuntu-helpers>
+  include <abstractions/user-download>
+
+  dbus receive
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged,PropertiesChanged}
+       peer=(label=unconfined),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=state
+       peer=(label=unconfined),
+
+  deny ptrace,
+  deny capability sys_ptrace,
+  deny @{HOME}/.local/share/applications/wine/ r,
+
+  owner @{HOME}/.purple/ rw,
+  owner @{HOME}/.purple/** rwk,
+  owner @{HOME}/.purple/plugins/*.so m,
+  owner @{HOME}/.config/indicators/ rw,
+  owner @{HOME}/.config/indicators/** rw,
+  owner @{HOME}/.local/share/applications/ r,
+
+  # Uncomment the two following lines if you want to allow Pidgin to update
+  # any DConf setting:
+  # owner @{HOME}/.{cache,config}/dconf/user rw,
+  # owner /{,var/}run/user/[0-9]*/dconf/user rwk,
+
+  /{usr/,}bin/dash rix,
+  /{usr/,}bin/which rix,
+
+  # NB: the preferred browser and proxy settings must be configured
+  # in the GNOME preferences: this profile does not allow running
+  # the corresponding external configuration applications.
+  /usr/bin/gconftool-2 rPix,
+  /usr/bin/gnome-open rmix,
+  /usr/bin/gsettings rix,
+  /usr/bin/gvfs-open rmix,
+  /usr/bin/pidgin r,
+  /usr/bin/xdg-open rmix,
+
+  /etc/purple/prefs.xml r,
+
+  /usr/lib/frei0r-1/*.so rm,
+  /usr/lib/@{multiarch}/libvisual-*/**.so rm,
+  /usr/lib/pidgin/*.so rm,
+  /usr/lib/purple*/*.so rm,
+
+  # pidgin-blinklight plugin
+  /usr/lib/pidgin-blinklight/blinklight-fixperm rPix,
+  @{PROC}/acpi/ibm/light rwk,
+
+  /usr/share/purple/ca-certs/ r,
+  /usr/share/purple/ca-certs/** r,
+  /usr/share/tcltk/** r,
+  /usr/share/themes/ r,
+
+  owner @{PROC}/@{pid}/auxv r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include <local/usr.bin.pidgin>
+}