[pkg-apparmor] [apparmor-profiles-extra] 01/03: Drop Evince profile and abstraction: they are shipped by the evince package starting with 3.20.0-2.
Intrigeri
intrigeri at moszumanska.debian.org
Thu Apr 28 09:30:49 UTC 2016
This is an automated email from the git hooks/post-receive script.
intrigeri pushed a commit to branch master
in repository apparmor-profiles-extra.
commit 6b750a4c78cfef7de42845a8663d7b6371eec86d
Author: intrigeri <intrigeri at boum.org>
Date: Thu Apr 28 09:21:29 2016 +0000
Drop Evince profile and abstraction: they are shipped by the evince package starting with 3.20.0-2.
---
debian/README.Debian | 4 +-
debian/copyright | 4 -
profiles/abstractions/evince | 124 ------------------------------
profiles/usr.bin.evince | 177 -------------------------------------------
4 files changed, 1 insertion(+), 308 deletions(-)
diff --git a/debian/README.Debian b/debian/README.Debian
index e7a94c3..33181b1 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -2,8 +2,6 @@ Included profiles
=================
- apt-cacher-ng: taken from the apparmor-profiles repository at revision 153.
-- Evince: taken from Ubuntu's evince 3.14.1-0ubuntu1.
- Still up-to-date as of 3.16.1-0ubuntu1.
- GStreamer abstraction, gst_plugin_scanner named profile: taken from
the apparmor-profiles repository at revision 142. Still up-to-date
as of revision 146.
@@ -26,4 +24,4 @@ apparmor-profiles repository
https://code.launchpad.net/~apparmor-dev/apparmor-profiles/master
- -- intrigeri <intrigeri at debian.org>, Sat, 14 Nov 2015 14:33:04 +0100
+ -- intrigeri <intrigeri at debian.org>, Thu, 28 Apr 2016 11:21:02 +0200
diff --git a/debian/copyright b/debian/copyright
index c77e269..266590f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -13,10 +13,6 @@ Files: profiles/usr.bin.irssi profiles/usr.bin.pidgin
Copyright: 2008-2014 AppArmor developers <apparmor at lists.ubuntu.com>
License: GPL-2+
-Files: profiles/usr.bin.evince profiles/abstractions/evince
-Copyright: 2008-2014 AppArmor developers <apparmor at lists.ubuntu.com>
-License: GPL-2+
-
Files: profiles/usr.sbin.apt-cacher-ng
Copyright: 2008-2014 AppArmor developers <apparmor at lists.ubuntu.com>
License: GPL-2+
diff --git a/profiles/abstractions/evince b/profiles/abstractions/evince
deleted file mode 100644
index e6a5757..0000000
--- a/profiles/abstractions/evince
+++ /dev/null
@@ -1,124 +0,0 @@
-# vim:syntax=apparmor
-#
-# abstraction used by evince binaries
-#
-
- #include <abstractions/gnome>
- #include <abstractions/p11-kit>
- #include <abstractions/ubuntu-helpers>
-
- @{PROC}/[0-9]*/fd/ r,
- @{PROC}/[0-9]*/mountinfo r,
- owner @{PROC}/[0-9]*/auxv r,
- owner @{PROC}/[0-9]*/status r,
-
- # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
- # Possibly move to an abstraction if anything else needs it.
- deny /run/udev/data/** r,
-
- # move out to the gnome abstraction if anyone else needs these
- /dev/.udev/{data,db}/* r,
- /etc/udev/udev.conf r,
- /sys/devices/**/block/**/uevent r,
-
- # apport
- /etc/default/apport r,
-
- # XFCE
- /etc/xfce4/defaults.list r,
-
- # Lubuntu
- /etc/xdg/lubuntu/applications/defaults.list r,
-
- # evince specific
- /etc/ r,
- /etc/fstab r,
- /etc/texmf/ r,
- /etc/texmf/** r,
- /etc/xpdf/* r,
- owner @{HOME}/.config/evince/ rw,
- owner @{HOME}/.config/evince/** rwkl,
-
- /usr/bin/gs-esp ixr,
- /usr/bin/mktexpk Cx -> sanitized_helper,
- /usr/bin/mktextfm Cx -> sanitized_helper,
- /usr/bin/dvipdfm Cx -> sanitized_helper,
- /usr/bin/dvipdfmx Cx -> sanitized_helper,
-
- # supported archivers
- /bin/gzip ixr,
- /bin/bzip2 ixr,
- /usr/bin/unrar* ixr,
- /usr/bin/unzip ixr,
- /usr/bin/7zr ixr,
- /usr/lib/p7zip/7zr ixr,
- /usr/bin/7za ixr,
- /usr/lib/p7zip/7za ixr,
- /usr/bin/zipnote ixr,
- /bin/tar ixr,
- /usr/bin/xz ixr,
-
- # allow read access to anything in /usr/share, for plugins and input methods
- /usr/local/share/** r,
- /usr/share/** r,
- /usr/lib/ghostscript/** mr,
- /var/lib/ghostscript/** r,
- /var/lib/texmf/** r,
-
- # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
- # read for all supported file formats
- /**.[bB][mM][pP] r,
- /**.[dD][jJ][vV][uU] r,
- /**.[dD][vV][iI] r,
- /**.[gG][iI][fF] r,
- /**.[jJ][pP][gG] r,
- /**.[jJ][pP][eE][gG] r,
- /**.[oO][dD][pP] r,
- /**.[fFpP][dD][fF] r,
- /**.[pP][nN][mM] r,
- /**.[pP][nN][gG] r,
- /**.[pP][sS] r,
- /**.[eE][pP][sS] r,
- /**.[eE][pP][sS][fFiI23] r,
- /**.[tT][iI][fF] r,
- /**.[tT][iI][fF][fF] r,
- /**.[xX][pP][mM] r,
- /**.[gG][zZ] r,
- /**.[bB][zZ]2 r,
- /**.[cC][bB][rRzZ7] r,
- /**.[xX][zZ] r,
-
- # Use abstractions/private-files instead of abstractions/private-files-strict
- # and add the sensitive files manually to work around LP: #451422. The goal
- # is to disallow access to the .mozilla folder in general, but to allow
- # access to the Cache directory, which the browser may tell evince to open
- # from directly.
-
- #include <abstractions/private-files>
- audit deny @{HOME}/.gnupg/** mrwkl,
- audit deny @{HOME}/.ssh/** mrwkl,
- audit deny @{HOME}/.gnome2_private/** mrwkl,
- audit deny @{HOME}/.gnome2/keyrings/** mrwkl,
- audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
- audit deny @{HOME}/.pki/nssdb/** w,
-
- audit deny @{HOME}/.mozilla/*/*/* mrwkl,
- audit deny @{HOME}/.mozilla/**/bookmarkbackups/** mrwkl,
- audit deny @{HOME}/.mozilla/**/chrome/** mrwkl,
- audit deny @{HOME}/.mozilla/**/extensions/** mrwkl,
- audit deny @{HOME}/.mozilla/**/gm_scripts/** mrwkl,
-
- audit deny @{HOME}/.config/chromium/** mrwkl,
- audit deny @{HOME}/.evolution/** mrwkl,
- audit deny @{HOME}/.config/evolution/** mrwkl,
- audit deny @{HOME}/.kde/share/config/** mrwkl,
- audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,
- audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
- audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
-
- # When LP: #451422 is fixed, change the above to simply be:
- ##include <abstractions/private-files-strict>
- #owner @{HOME}/.mozilla/**/*Cache/* r,
-
- # Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.evince>
diff --git a/profiles/usr.bin.evince b/profiles/usr.bin.evince
deleted file mode 100644
index d77fb3b..0000000
--- a/profiles/usr.bin.evince
+++ /dev/null
@@ -1,177 +0,0 @@
-# vim:syntax=apparmor
-# Author: Kees Cook <kees at canonical.com>
-# Jamie Strandboge <jamie at canonical.com>
-
-#include <tunables/global>
-
-/usr/bin/evince {
- #include <abstractions/audio>
- #include <abstractions/bash>
- #include <abstractions/cups-client>
- #include <abstractions/dbus>
- #include <abstractions/dbus-session>
- #include <abstractions/dbus-accessibility>
- #include <abstractions/evince>
- #include <abstractions/ibus>
- #include <abstractions/nameservice>
-
- #include <abstractions/ubuntu-browsers>
- #include <abstractions/ubuntu-console-browsers>
- #include <abstractions/ubuntu-email>
- #include <abstractions/ubuntu-console-email>
- #include <abstractions/ubuntu-media-players>
-
- # Terminals for using console applications. These abstractions should ideally
- # have 'ix' to restrict access to what only evince is allowed to do
- #include <abstractions/ubuntu-gnome-terminal>
-
- # By default, we won't support launching a terminal program in Xterm or
- # KDE's konsole. It opens up too many unnecessary files for most users.
- # People who need this functionality can uncomment the following:
- ##include <abstractions/ubuntu-xterm>
- ##include <abstractions/ubuntu-konsole>
-
- /usr/bin/evince rmPx,
- /usr/bin/evince-previewer Px,
- /usr/bin/yelp Cx -> sanitized_helper,
- /usr/bin/bug-buddy px,
- # 'Show Containing Folder' (LP: #1022962)
- /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
- /usr/bin/pcmanfm Cx -> sanitized_helper, # LXDE
- /usr/bin/krusader Cx -> sanitized_helper, # KDE
- /usr/bin/thunar Cx -> sanitized_helper, # XFCE
-
- # For Xubuntu to launch the browser
- /usr/bin/exo-open ixr,
- /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
- /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
- /etc/xdg/xfce4/helpers.rc r,
-
- # For text attachments
- /usr/bin/gedit ixr,
-
- # For Send to
- /usr/bin/nautilus-sendto Cx -> sanitized_helper,
-
- # allow directory listings (ie 'r' on directories) so browsing via the file
- # dialog works
- / r,
- /**/ r,
-
- # This is need for saving files in your home directory without an extension.
- # Changing this to '@{HOME}/** r' makes it require an extension and more
- # secure (but with 'rw', we still have abstractions/private-files-strict in
- # effect).
- owner @{HOME}/** rw,
- owner /media/** rw,
- owner @{HOME}/.local/share/gvfs-metadata/** l,
- owner /{,var/}run/user/*/gvfs-metadata/** l,
-
- owner @{HOME}/.gnome2/evince/* rwl,
- owner @{HOME}/.gnome2/accels/ rw,
- owner @{HOME}/.gnome2/accelsevince rw,
- owner @{HOME}/.gnome2/accels/evince rw,
-
- # Maybe add to an abstraction?
- /etc/dconf/** r,
- owner @{HOME}/.cache/dconf/user rw,
- owner @{HOME}/.config/dconf/user r,
- owner /{,var/}run/user/*/dconf/ w,
- owner /{,var/}run/user/*/dconf/user rw,
- owner /{,var/}run/user/*/dconf-service/keyfile/ w,
- owner /{,var/}run/user/*/dconf-service/keyfile/user rw,
-
- owner /{,var/}run/user/*/at-spi2-*/ rw,
- owner /{,var/}run/user/*/at-spi2-*/** rw,
-
- # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
- # read and write for all supported file formats
- /**.[bB][mM][pP] rw,
- /**.[dD][jJ][vV][uU] rw,
- /**.[dD][vV][iI] rw,
- /**.[gG][iI][fF] rw,
- /**.[jJ][pP][gG] rw,
- /**.[jJ][pP][eE][gG] rw,
- /**.[oO][dD][pP] rw,
- /**.[fFpP][dD][fF] rw,
- /**.[pP][nN][mM] rw,
- /**.[pP][nN][gG] rw,
- /**.[pP][sS] rw,
- /**.[eE][pP][sS] rw,
- /**.[tT][iI][fF] rw,
- /**.[tT][iI][fF][fF] rw,
- /**.[xX][pP][mM] rw,
- /**.[gG][zZ] rw,
- /**.[bB][zZ]2 rw,
- /**.[cC][bB][rRzZ7] rw,
- /**.[xX][zZ] rw,
-
- # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
- # directory a file is saved. This allows that behavior.
- owner /**/.goutputstream-* w,
-}
-
-/usr/bin/evince-previewer {
- #include <abstractions/audio>
- #include <abstractions/bash>
- #include <abstractions/cups-client>
- #include <abstractions/dbus-session>
- #include <abstractions/dbus-accessibility>
- #include <abstractions/evince>
- #include <abstractions/ibus>
- #include <abstractions/nameservice>
-
- #include <abstractions/ubuntu-browsers>
- #include <abstractions/ubuntu-console-browsers>
- #include <abstractions/ubuntu-email>
- #include <abstractions/ubuntu-console-email>
- #include <abstractions/ubuntu-media-players>
-
- # Terminals for using console applications. These abstractions should ideally
- # have 'ix' to restrict access to what only evince is allowed to do
- #include <abstractions/ubuntu-gnome-terminal>
-
- # By default, we won't support launching a terminal program in Xterm or
- # KDE's konsole. It opens up too many unnecessary files for most users.
- # People who need this functionality can uncomment the following:
- ##include <abstractions/ubuntu-xterm>
-
- /usr/bin/evince-previewer mr,
- /usr/bin/yelp Cx -> sanitized_helper,
- /usr/bin/bug-buddy px,
-
- # Lenient, but remember we still have abstractions/private-files-strict in
- # effect). Write is needed for 'print to file' from the previewer.
- @{HOME}/ r,
- @{HOME}/** rw,
-
- # Maybe add to an abstraction?
- owner /{,var/}run/user/*/dconf/ w,
- owner /{,var/}run/user/*/dconf/user rw,
-}
-
-/usr/bin/evince-thumbnailer {
- #include <abstractions/dbus-session>
- #include <abstractions/evince>
-
- # The thumbnailer doesn't need access to everything in the nameservice
- # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
- # logging denial of nsswitch.conf.
- /etc/passwd r,
- /etc/group r,
- deny /etc/nsswitch.conf r,
-
- # TCP/UDP network access for NFS
- network inet stream,
- network inet6 stream,
- network inet dgram,
- network inet6 dgram,
-
- /usr/bin/evince-thumbnailer mr,
-
- # Lenient, but remember we still have abstractions/private-files-strict in
- # effect).
- @{HOME}/ r,
- owner @{HOME}/** rw,
- owner /media/** rw,
-}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/apparmor-profiles-extra.git
More information about the pkg-apparmor-team
mailing list