2
# Example usage for an ubuntu-account-plugin app 'appname'
3
# $ aa-easyprof --template=ubuntu-account-plugin \
4
# --profile-name=com.example.appname \
6
# --template-var="@{APP_PKGNAME}=appname" \
7
# --template-var="@{APP_VERSION}=0.1" \
8
# "/usr/share/appname/**"
13
#include <tunables/global>
17
###PROFILEATTACH### (attach_disconnected) {
18
#include <abstractions/base>
19
#include <abstractions/fonts>
20
#include <abstractions/X>
22
# Apps fail to start when linked against newer curl/gnutls if we don't allow
23
# this. (LP: #1350152)
24
#include <abstractions/openssl>
26
# Needed by native GL applications on Mir
27
owner /{,var/}run/user/*/mir_socket rw,
29
# Hardware-specific accesses
30
#include "/usr/share/apparmor/hardware/graphics.d"
33
# IPC rules common for all apps
35
# Allow connecting to session bus and where to connect to services
36
#include <abstractions/dbus-session-strict>
38
# Allow connecting to system bus and where to connect to services. Put these
39
# here so we don't need to repeat these rules in multiple places (actual
40
# communications with any system services is mediated elsewhere). This does
41
# allow apps to brute-force enumerate system services, but our system
42
# services aren't a secret.
43
#include <abstractions/dbus-strict>
45
# on screen keyboard (OSK)
48
path="/org/maliit/server/address"
49
interface="org.freedesktop.DBus.Properties"
51
peer=(name=org.maliit.server,label=unconfined),
52
unix (connect, receive, send)
54
peer=(addr="@/tmp/maliit-server/dbus-*"),
56
# clipboard (LP: #1371170)
59
path="/com/canonical/QtMir/Clipboard"
60
interface="com.canonical.QtMir.Clipboard"
61
peer=(label=unconfined),
64
path="/com/canonical/QtMir/Clipboard"
65
interface="org.freedesktop.DBus.{Introspectable,Properties}"
66
peer=(label=unconfined),
71
peer=(name=org.a11y.Bus,label=unconfined),
74
interface=org.a11y.atspi**
75
peer=(label=unconfined),
78
peer=(label=unconfined),
80
# Deny potentially dangerous access
82
path=/com/canonical/[Uu]nity/[Dd]ebug**,
83
audit deny dbus bus=session
84
interface="com.canonical.snapdecisions",
87
interface="org.gnome.GConf.Server",
91
path="/org/freedesktop/Accounts",
95
name="org.freedesktop.Application",
98
# end DBus rules common for all apps
101
# Don't allow apps to access scope endpoints
102
audit deny /run/user/[0-9]*/zmq/ rw,
103
audit deny /run/user/[0-9]*/zmq/** rwk,
105
# Explicitly deny dangerous access
106
audit deny /dev/input/** rw,
107
deny /dev/fb0 rw, # don't use 'audit' since it is too noisy with the camera
108
deny @{PROC}/[0-9]*/mounts r,
109
deny /dev/disk/by-label/ r,
112
deny /run/user/[0-9]*/dconf/user rw,
113
deny owner @{HOME}/.config/dconf/user r,
114
deny /custom/etc/dconf_profile r,
117
deny @{HOME}/.cache/QML/Apps/ r,
119
# subset of GNOME stuff
120
/{,custom/}usr/share/icons/** r,
121
/{,custom/}usr/share/themes/** r,
123
/usr/lib{,32,64}/pango/** mr,
124
/usr/lib/@{multiarch}/pango/** mr,
125
/usr/share/icons/*/index.theme rk,
126
/usr/share/unity/icons/** r,
127
/usr/share/thumbnailer/icons/** r,
130
/custom/xdg/data/themes/ r,
131
/custom/xdg/data/themes/** r,
132
/custom/usr/share/fonts/ r,
133
/custom/usr/share/fonts/** r,
136
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
137
owner @{HOME}/.config/ibus/ r,
138
owner @{HOME}/.config/ibus/bus/ r,
139
owner @{HOME}/.config/ibus/bus/* r,
140
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
142
# subset of freedesktop.org
143
/usr/share/mime/** r,
144
owner @{HOME}/.local/share/mime/** r,
145
owner @{HOME}/.config/user-dirs.dirs r,
147
/usr/share/glib*/schemas/gschemas.compiled r,
149
# various /proc entries (be careful to not allow things that can be used to
150
# enumerate installed apps-- this will be easier once we have a PID kernel
152
@{PROC}/interrupts r,
153
owner @{PROC}/cmdline r,
154
owner @{PROC}/[0-9]*/auxv r,
155
owner @{PROC}/[0-9]*/fd/ r,
156
owner @{PROC}/[0-9]*/status r,
157
owner @{PROC}/[0-9]*/task/ r,
158
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
159
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
160
# var could solve this
161
owner @{PROC}/[0-9]*/cmdline r,
164
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
165
/usr/lib/@{multiarch}/libhybris/*.so mr,
166
/{,android/}system/build.prop r,
167
# These libraries can be in any of:
171
# /android/vendor/lib
172
# /android/system/lib
173
# /android/system/vendor/lib
174
/{,android/}vendor/lib/** r,
175
/{,android/}vendor/lib/**.so m,
176
/{,android/}system/lib/** r,
177
/{,android/}system/lib/**.so m,
178
/{,android/}system/vendor/lib/** r,
179
/{,android/}system/vendor/lib/**.so m,
181
# attach_disconnected path
182
/dev/socket/property_service rw,
184
# Android logging triggered by platform. Can safely deny
186
deny /dev/log_main w,
187
deny /dev/log_radio w,
188
deny /dev/log_events w,
189
deny /dev/log_system w,
192
deny @{PROC}/xlog/ r,
193
deny @{PROC}/xlog/* rw,
195
# Lttng tracing. Can safely deny. LP: #1260491
196
deny /{,var/}run/shm/lttng-ust-* r,
199
deny /dev/cpuctl/apps/tasks w,
200
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
202
/sys/devices/system/cpu/ r,
203
/sys/kernel/debug/tracing/trace_marker w,
205
/etc/udev/udev.conf r,
206
/sys/devices/pci[0-9]*/**/uevent r,
207
# Not required, but noisy
208
deny /run/udev/data/** r,
213
/usr/share/qtchooser/ r,
214
/usr/share/qtchooser/** r,
215
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
217
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
218
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
220
# Launching under upstart requires this
221
/usr/bin/qtchooser rmix,
224
# Application install dirs
228
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
229
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
230
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
232
# Packages shipped as debs have their install directory in /usr/share
233
/usr/share/@{APP_PKGNAME}/ r,
234
/usr/share/@{APP_PKGNAME}/** mrklix,
237
# Application writable dirs
240
owner /{,var/}run/user/*/online-accounts-ui/ui-*-@{APP_PKGNAME}_@{APP_APPNAME} rw,
241
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
242
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
244
# Allow writes to application-specific QML cache directories
245
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
246
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
250
path="/com/google/code/AccountsSSO/Accounts/Manager"
251
interface="com.google.code.AccountsSSO.Accounts.Manager"
253
peer=(name=com.google.code.AccountsSSO.Accounts.Manager,label=unconfined),