[pkg-apparmor] Add Eye of GNOME profile.
cypherpunks at sigaint.org
cypherpunks at sigaint.org
Mon Feb 22 00:44:02 UTC 2016
AppArmor profile for eog upstreamed. Originally I posted on the Tails
tracker,
and they told me to send it upstream to Debian. Debian told me to send it
upstream to AppArmor, so now I'm here.
Anyway, here's a profile for Eye of GNOME. How's it look? Can I get this
packaged into Debian's apparmor-profiles?
---
# vim:syntax=apparmor
#include <tunables/global>
/usr/bin/eog {
#include <abstractions/ibus>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/private-files-strict>
# Allow read on all directories
/**/ r,
# Allow read on files in /usr/share and /usr/local/share
/usr/{,local/}share/eog/** r,
/usr/{,local/}share/glib-*/** r,
/usr/{,local/}share/thumbnailers/** r,
/usr/bin/eog r,
# An image viewer doesn't need access to everything in the nameservice
# abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
# logging denial of nsswitch.conf and machine-id.
/etc/passwd r,
/etc/group r,
deny /etc/machine-id r,
deny /etc/nsswitch.conf r,
# From https://help.gnome.org/users/eog/stable/formats-view.html.en
# Allow reading all supported file formats.
/**.[aA][nN][iI] r, # .ani
/**.[bB][mM][pP] r, # .bmp
/**.[gG][iI][fF] r, # .gif
/**.[iI][cC][oO] r, # .ico
/**.[jJ][pP][gG] r, # .jpg
/**.[jJ][pP][eE][gG] r, # .jpeg
/**.[pP][cC][xX] r, # .pcx
/**.[pP][nN][gG] r, # .png
/**.[pP][nN][mM] r, # .pnm
/**.[rR][aA][sS] r, # .ras
/**.[sS][vV][gG] r, # .svg
/**.[tT][gG][aA] r, # .tga
/**.[tT][iI][fF][fF] r, # .tiff
/**.[tT][iI][fF] r, # .tif
/**.[wW][bB][mM][pP] r, # .wbmp
/**.[xX][bB][mM] r, # .xbm
/**.[xX][pP][mM] r, # .xpm
# Allow maintaining thumbnail caches
owner @{HOME}/.cache/thumbnails/ rw,
owner @{HOME}/.cache/thumbnails/** rw,
owner /{,var/}run/user/*/dconf/user w,
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
}
More information about the pkg-apparmor-team
mailing list