1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
#include <tunables/global>
/usr/bin/media-hub-server (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/audio>
#include <abstractions/nameservice>
#include <abstractions/dbus-session>
#include <abstractions/dbus-strict>
#include <abstractions/user-tmp>
#include <abstractions/video>
#include "/usr/share/apparmor/hardware/audio.d"
#include "/usr/share/apparmor/hardware/graphics.d"
#include "/usr/share/apparmor/hardware/video.d"
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
owner @{PROC}/[0-9]*/cmdline r,
/etc/udev/udev.conf r,
deny /run/udev/data/** r,
# specific to the mediatek soc
@{PROC}/xlog/setfil r,
@{PROC}/M4U_device r,
/dev/Vcodec rw,
/sys/bus/platform/drivers/** rw,
/{,android/}system/etc/mtk_omx_core.cfg r,
/dev/devmap r,
@{PROC}/mtk_mdp_cmdq r,
/dev/video* r,
/sys/devices/**/video4linux/video** r,
/sys/devices/**/video4linux/**/uevent r,
/sys/kernel/debug/tracing/trace_marker w,
/dev/ashmem rw,
ptrace (read) peer=@{profile_name},
# Explicitly deny this-- it is not needed
/dev/fb0 rw,
# libhybris
/{,var/}run/shm/hybris_shm_data rw,
/usr/lib/@{multiarch}/libhybris/*.so mr,
/{,android/}system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# Allow all access to powerd for now, but we can fine-tune this if needed
dbus (receive, send)
bus=system
path=/com/canonical/powerd
interface=com.canonical.powerd,
dbus (receive, send)
bus=system
path=/com/canonical/Unity/Screen
interface=com.canonical.Unity.Screen,
owner @{HOME}/.gstreamer*/registry.*.bin* rw,
owner @{HOME}/.gstreamer*/ rw,
owner @{HOME}/.cache/gstreamer*/ rw,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* rw,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner ix,
# The user-tmp abstraction allows writes to these files, but gstreamer sometimes
# needs to also mmap its temporary files
owner /tmp/orcexec* m,
/{,android/}system/etc/media_codecs.xml r,
/etc/wildmidi/wildmidi.cfg r,
# Allow read on all directories
/**/ r,
# camera click
/{,android/}system/media/audio/ui/camera_click.ogg r,
# custom sounds
/custom/usr/share/sounds/ r,
/custom/usr/share/sounds/** r,
# Allow read on click install directories, removable media and files in
# /usr/local/share.
/usr/share/** r,
/usr/local/share/** r,
/{media,mnt,opt,srv}/** r,
# Allow reading any files in non-hidden directories
owner @{HOME}/[^.]* rk,
owner @{HOME}/[^.]*/ rk,
owner @{HOME}/[^.]*/** rk,
# Allow reading files in XDG directories (ie, where apps are allowed to
# write)
owner @{HOME}/.cache/** rk,
owner @{HOME}/.local/share/** rk,
owner /{,var/}run/user/[0-9]*/** rk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.media-hub-server>
}
|