[pkg-aa-profiles-team] [apparmor-profiles-extra] 03/04: Import the Totem profile.
Intrigeri
intrigeri at moszumanska.debian.org
Thu Aug 28 16:02:19 UTC 2014
This is an automated email from the git hooks/post-receive script.
intrigeri pushed a commit to branch master
in repository apparmor-profiles-extra.
commit f9680da09cd76ae08cb5706f2f5997554aa6b94a
Author: intrigeri <intrigeri at boum.org>
Date: Thu Aug 28 16:01:17 2014 +0000
Import the Totem profile.
---
debian/README.Debian | 1 +
debian/copyright | 4 ++++
profiles/abstractions/totem | 35 +++++++++++++++++++++++++++++++++++
profiles/usr.bin.totem | 23 +++++++++++++++++++++++
profiles/usr.bin.totem-previewers | 27 +++++++++++++++++++++++++++
5 files changed, 90 insertions(+)
diff --git a/debian/README.Debian b/debian/README.Debian
index 2ed9d76..0185689 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -5,6 +5,7 @@ Included profiles
- GStreamer abstraction, gst_plugin_scanner named profile: taken from
the apparmor-profiles repository at revision 134.
- Pidgin: taken from the apparmor-profiles repository at revision 125.
+- Totem: taken from the apparmor-profiles repository at revision 134.
- tcpdump: taken from Ubuntu's tcpdump 4.5.1-2ubuntu2.
- irssi: taken from the apparmor-profiles repository at revision 132.
diff --git a/debian/copyright b/debian/copyright
index 77f3464..1367118 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -13,6 +13,10 @@ Files: profiles/usr.bin.irssi, profiles/usr.bin.pidgin
Copyright: 2008-2014 AppArmor developers <apparmor at lists.ubuntu.com>
License: GPL-2+
+Files: profiles/abstractions/totem, profiles/usr.bin.totem*
+Copyright: 2008-2014 AppArmor developers <apparmor at lists.ubuntu.com>
+License: GPL-2+
+
Files: profiles/usr.sbin.tcpdump
Copyright: 2008-2014 AppArmor developers <apparmor at lists.ubuntu.com>
License: GPL-2+
diff --git a/profiles/abstractions/totem b/profiles/abstractions/totem
new file mode 100644
index 0000000..df8e9c4
--- /dev/null
+++ b/profiles/abstractions/totem
@@ -0,0 +1,35 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <jamie at canonical.com>
+
+# Description: Limit executable access and reasonable read access. A look at
+# the gconf schema files for totem-video-thumbnailer reveals at least the
+# following files:
+# 3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac,
+# flc, fli, flic, flv, google-video-pointer, gpp, gsm, m4a, m4v, matroska,
+# midi, mod, mp3, mp4, mp4es, mpeg, mpt2, msvideo, ms-wm, musepack,mxf,
+# netshow, nsv, off, ogm, pict, pn-realaudio, prs.sid, quicktime, ram,
+# realpix, rn, sbc, sdp, shorten, speex, theora, totem-stream, tta, ultravox,
+# vivo, vorbis, wav, wavpack, wax, webm, wma, wmv, wmx, wpl, wvx, x-anim,
+# x-it, xm
+#
+# While ideally we would narrow down our read access to the above, this is
+# a maintenance problem and doesn't work for files without extensions.
+
+ #include <abstractions/gnome>
+ #include <abstractions/gstreamer>
+ #include <abstractions/nameservice>
+ #include <abstractions/dbus-session>
+
+ # Allow read on all directories
+ /**/ r,
+
+ # Allow read on removable media and files in /usr/share and /usr/local/share
+ /usr/local/share/** r,
+ /usr/share/** r,
+ /{media,mnt,opt,srv}/** r,
+
+ /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Cix -> gst_plugin_scanner,
+
+ owner @{HOME}/.cache/tracker/meta.db k,
+ owner @{HOME}/.cache/tracker/meta.db-shm k,
+ owner @{HOME}/.local/share/grilo-plugins/*.db k,
diff --git a/profiles/usr.bin.totem b/profiles/usr.bin.totem
new file mode 100644
index 0000000..e9b67e5
--- /dev/null
+++ b/profiles/usr.bin.totem
@@ -0,0 +1,23 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <jamie at canonical.com>
+
+#include <tunables/global>
+
+/usr/bin/totem {
+ #include <abstractions/audio>
+ #include <abstractions/dconf>
+ #include <abstractions/python>
+ #include <abstractions/totem>
+
+ # Maybe in an abstraction?
+ /usr/include/**/pyconfig.h r,
+
+ /usr/bin/totem r,
+
+ # Allow read and write on anything in @{HOME}. Lenient, but
+ # private-files-strict is in effect.
+ #include <abstractions/private-files-strict>
+ owner @{HOME}/** rw,
+
+ owner /{,var/}run/user/*/dconf/user w,
+}
diff --git a/profiles/usr.bin.totem-previewers b/profiles/usr.bin.totem-previewers
new file mode 100644
index 0000000..3709f99
--- /dev/null
+++ b/profiles/usr.bin.totem-previewers
@@ -0,0 +1,27 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <jamie at canonical.com>
+
+#include <tunables/global>
+
+/usr/bin/totem-video-thumbnailer {
+ #include <abstractions/totem>
+
+ # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+ # effect.
+ #include <abstractions/private-files-strict>
+ owner @{HOME}/** r,
+
+ # Not needed by nautilus, but maybe other applications
+ owner /**.[pP][nN][gG] w,
+ owner /**.[jJ][pP]{,[eE]}[gG] w,
+}
+
+/usr/bin/totem-audio-preview {
+ #include <abstractions/totem>
+ #include <abstractions/audio>
+
+ # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+ # effect.
+ #include <abstractions/private-files-strict>
+ owner @{HOME}/** r,
+}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/apparmor-profiles-extra.git
More information about the Pkg-aa-profiles-team
mailing list