4
owner @{HOME}/.java/deployment/deployment.properties k,
7
/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
8
/usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
9
/usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
10
/usr/lib/jvm/java-7-openjdk/jre/bin/java cx -> browser_openjdk,
11
/usr/lib/jvm/java-7-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
12
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
13
/usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
14
/usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
16
# Profile for the supported OpenJDK in Ubuntu. This doesn't require the
17
# unfortunate workarounds of the proprietary Javas, so have a separate
19
profile browser_openjdk {
20
#include <abstractions/base>
21
#include <abstractions/fonts>
22
#include <abstractions/gnome>
23
#include <abstractions/kde>
24
#include <abstractions/nameservice>
25
#include <abstractions/ssl_certs>
26
#include <abstractions/user-tmp>
27
#include <abstractions/private-files-strict>
31
@{PROC}/[0-9]*/net/if_inet6 r,
32
@{PROC}/[0-9]*/net/ipv6_route r,
37
/etc/ssl/certs/java/* r,
42
@{PROC}/filesystems r,
43
/sys/devices/system/cpu/ r,
44
/sys/devices/system/cpu/** r,
46
/var/lib/dbus/machine-id r,
49
/usr/lib/jvm/java-{6,7}-openjdk*/jre/bin/java ix,
50
/usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
52
# Why would java need this?
53
deny /usr/bin/gconftool-2 x,
59
# Profile for commercial Javas. These need workarounds to work right (eg
60
# Sun's forcing of an executable stack (LP: #535247)).
61
profile browser_java {
62
#include <abstractions/base>
63
#include <abstractions/fonts>
64
#include <abstractions/gnome>
65
#include <abstractions/kde>
66
#include <abstractions/nameservice>
67
#include <abstractions/ssl_certs>
68
#include <abstractions/user-tmp>
69
#include <abstractions/private-files-strict>
73
@{PROC}/[0-9]*/net/if_inet6 r,
74
@{PROC}/[0-9]*/net/ipv6_route r,
77
/etc/debian_version r,
81
/etc/ssl/certs/java/* r,
86
@{PROC}/filesystems r,
87
/sys/devices/system/cpu/ r,
88
/sys/devices/system/cpu/** r,
90
/var/lib/dbus/machine-id r,
93
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
94
/usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
95
/usr/lib/j2*-ibm/jre/bin/java ix,
97
# noisy, can't write here anyway
101
deny /usr/bin/gconftool-2 x,
104
owner @{HOME}/** rwk,
106
# These are seriously unfortunate, but required due to LP: #535247
108
owner @{HOME}/.java/**/cache/** m,
110
/usr/lib{,32,64}/jvm/**/*.jar mr,
111
/usr/share/fonts/** m,