[pkg-apparmor] [apparmor-profiles-extra] 04/08: Totem: update to https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/310120.

Intrigeri intrigeri at moszumanska.debian.org
Mon Jul 3 07:16:47 UTC 2017 

This is an automated email from the git hooks/post-receive script.

intrigeri pushed a commit to branch master
in repository apparmor-profiles-extra.

commit 2b9bdf80bb30ebcd1b964f638a13ded2b8ccd141
Author: intrigeri <intrigeri at boum.org>
Date:   Mon Jul 3 07:07:16 2017 +0000

    Totem: update to https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/310120.
---
 profiles/abstractions/totem       | 19 ++++++++++++++++---
 profiles/usr.bin.totem            | 11 +++++++++--
 profiles/usr.bin.totem-previewers | 10 ++++++----
 3 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/profiles/abstractions/totem b/profiles/abstractions/totem
index 23eb217..09cc8bb 100644
--- a/profiles/abstractions/totem
+++ b/profiles/abstractions/totem
@@ -30,13 +30,26 @@
 
   /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
 
-  owner @{HOME}/.cache/tracker/meta.db k,
-  owner @{HOME}/.cache/tracker/meta.db-shm k,
-  owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm} k,
+  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
+  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
+  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
+  owner @{HOME}/.cache/thumbnails/** rw,
+  owner @{HOME}/.cache/totem/** rwk,
+  owner @{HOME}/.cache/totem-* rwk,
+  owner @{HOME}/.cache/tracker/db-locale.txt r,
+  owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk,
+  owner @{HOME}/.cache/tracker/ontologies.gvdb r,
+  owner @{HOME}/.config/totem/ rwk,
+  owner @{HOME}/.config/totem/** rwk,
+  owner @{HOME}/.local/share/grilo-plugins/ rwk,
+  owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
+  owner @{HOME}/.local/share/gvfs-metadata/** r,
+  owner @{HOME}/.local/share/totem/ rwk,
 
   owner @{PROC}/@{pid}/status r,
 
   /run/udev/data/c* r,
   /run/udev/data/+drm:card* r,
+  /run/udev/data/+usb* r,
 
   /sys/devices/system/node/*/meminfo r,
diff --git a/profiles/usr.bin.totem b/profiles/usr.bin.totem
index 1455256..744d2fe 100644
--- a/profiles/usr.bin.totem
+++ b/profiles/usr.bin.totem
@@ -6,6 +6,7 @@
 /usr/bin/totem {
   #include <abstractions/audio>
   #include <abstractions/dconf>
+  #include <abstractions/ibus>
   #include <abstractions/python>
   #include <abstractions/totem>
 
@@ -14,18 +15,24 @@
 
   /usr/bin/totem r,
   /usr/bin/totem-video-thumbnailer Pix,
+  /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
   /dev/sr* r,
 
-  # Allow read and write on anything in @{HOME}. Lenient, but
+  # Quiet logs
+  deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
+
+  # Allow read and write on almost anything in @{HOME}. Lenient, but
   # private-files-strict is in effect.
   #include <abstractions/private-files-strict>
-  owner @{HOME}/** rw,
+  owner @{HOME}/[^.]*    rw,
+  owner @{HOME}/[^.]*/** rw,
 
   owner /{,var/}run/user/*/dconf/user w,
   owner /{,var/}run/user/*/at-spi2-*/   rw,
   owner /{,var/}run/user/*/at-spi2-*/** rw,
 
   /sys/devices/pci[0-9]*/**/config r,
+  /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.totem>
diff --git a/profiles/usr.bin.totem-previewers b/profiles/usr.bin.totem-previewers
index 71f759c..b08af56 100644
--- a/profiles/usr.bin.totem-previewers
+++ b/profiles/usr.bin.totem-previewers
@@ -6,16 +6,17 @@
 /usr/bin/totem-video-thumbnailer {
   #include <abstractions/totem>
 
-  # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+  # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
   #include <abstractions/private-files-strict>
-  owner @{HOME}/** r,
+  owner @{HOME}/[^.]*    rw,
+  owner @{HOME}/[^.]*/** rw,
 
   # Not needed by nautilus, but maybe other applications
   owner /**.[pP][nN][gG] w,
   owner /**.[jJ][pP]{,[eE]}[gG] w,
 
-  /usr/bin/totem-video-thumbnailer r,
+  /usr/bin/totem-video-thumbnailer rm,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.totem-previewers>
@@ -28,7 +29,8 @@
   # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
   #include <abstractions/private-files-strict>
-  owner @{HOME}/** r,
+  owner @{HOME}/[^.]*    rw,
+  owner @{HOME}/[^.]*/** rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.totem-previewers>

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/apparmor-profiles-extra.git

More information about the pkg-apparmor-team mailing list