← Back to branch summary

~tarmac-control-tower/tarmac/main

« back to all changes in this revision

Viewing changes to data/tarmac.apparmor

  • Committer: Paride Legovini
  • Date: 2019-06-26 18:55:59 UTC
  • Revision ID: paride.legovini@canonical.com-20190626185559-4s54947lxwoq5m7i
Repository converted to git

https://code.launchpad.net/tarmac/+git

Show diffs side-by-side

added added

removed removed

Lines of Context:
data/tarmac.apparmor
1
 
#include <tunables/global>
2
 
 
3
 
/**/tarmac {
4
 
  #include <abstractions/base>
5
 
  #include <abstractions/python>
6
 
  #include <abstractions/private-files-strict>
7
 
 
8
 
  @{HOME}/.cache/tarmac/ w,
9
 
  @{HOME}/.cache/tarmac/** rwl,
10
 
 
11
 
  @{HOME}/.config/tarmac/ w,
12
 
  @{HOME}/.config/tarmac/** rwl,
13
 
 
14
 
  owner /tmp/tarmac/ w,
15
 
  owner /tmp/tarmac/** rwl,
16
 
 
17
 
  owner /var/cache/tarmac/ w,
18
 
  owner /var/cache/tarmac/** rwl,
19
 
 
20
 
  /** Cx -> tarmac_child,
21
 
 
22
 
  profile tarmac_child {
23
 
    #include <abstractions/base>
24
 
    #include <abstractions/bash>
25
 
    #include <abstractions/dbus-session>
26
 
    #include <abstractions/gnome>
27
 
    #include <abstractions/kde>
28
 
    #include <abstractions/perl>
29
 
    #include <abstractions/python>
30
 
    #include <abstractions/private-files-strict>
31
 
 
32
 
    # Need to be able exec most anything, which unfortunately
33
 
    # requires a lot of read permissions
34
 
    /**/ r,
35
 
    /** rmix,
36
 
 
37
 
    # Don't allow access to bzr
38
 
    audit deny @{HOME}/.bazaar/** mrukl,
39
 
    audit deny @{HOME}/.bzr* mrukl,
40
 
    audit deny /**/.bzr/** mrukl,
41
 
 
42
 
    # Don't allow subprocesses to access the tarmac config, or cache
43
 
    audit deny @{HOME}/.cache/tarmac/** mrukl,
44
 
    audit deny @{HOME}/.config/tarmac/** mrukl,
45
 
    audit deny /tmp/tarmac/merge.** mrukl,
46
 
    audit deny /var/cache/tarmac/** mrukl,
47
 
 
48
 
    owner /tmp/tarmac/branch.** rwl,
49
 
  }
50
 
}