# apparmor.d - Full set of apparmor profiles # Copyright (C) Jamie Strandboge # SPDX-License-Identifier: GPL-2.0-only # Limit executable access and reasonable read access. A look at # the gconf schema files for totem-video-thumbnailer reveals at least the # following files: # 3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac, # flc, fli, flic, flv, google-video-pointer, gpp, gsm, m4a, m4v, matroska, # midi, mod, mp3, mp4, mp4es, mpeg, mpt2, msvideo, ms-wm, musepack,mxf, # netshow, nsv, off, ogm, pict, pn-realaudio, prs.sid, quicktime, ram, # realpix, rn, sbc, sdp, shorten, speex, theora, totem-stream, tta, ultravox, # vivo, vorbis, wav, wavpack, wax, webm, wma, wmv, wmx, wpl, wvx, x-anim, # x-it, xm # # While ideally we would narrow down our read access to the above, this is # a maintenance problem and doesn't work for files without extensions. include include include include # Allow read on all directories /**/ r, # Allow read on removable media and files in /usr/share and /usr/local/share /usr/local/share/** r, /usr/share/** r, /{media,mnt,opt,srv}/** r, owner @{user_cache_dirs}/mesa/** rwk, owner @{user_cache_dirs}/thumbnails/** rw, owner @{user_cache_dirs}/totem/ rw, owner @{user_cache_dirs}/totem/** rwk, owner @{user_cache_dirs}/totem-* rwk, owner @{user_cache_dirs}/tracker/db-locale.txt r, owner @{user_cache_dirs}/tracker/meta.db{,-shm,-journal,-wal} rwk, owner @{user_cache_dirs}/tracker/ontologies.gvdb r, owner @{user_config_dirs}/totem/ rwk, owner @{user_config_dirs}/totem/** rwk, owner @{user_share_dirs}/grilo-plugins/ rwk, owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, owner @{user_share_dirs}/totem/ rwk, owner @{user_share_dirs}/tracker/data/tracker-store.journal rwk, owner @{PROC}/@{pid}/{mountinfo,status} r, @{run}/udev/data/+drm:card* r, @{run}/udev/data/+usb* r, @{sys}/devices/system/node/*/meminfo r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists