2
# Example usage for an ubuntu-sdk app 'appname'
3
# $ aa-easyprof --template=ubuntu-sdk \
4
# --profile-name=com.example.appname \
6
# --template-var="@{APP_PKGNAME}=appname" \
7
# --template-var="@{APP_VERSION}=0.1" \
8
# "/usr/share/appname/**"
13
#include <tunables/global>
17
###PROFILEATTACH### (attach_disconnected) {
18
#include <abstractions/base>
19
#include <abstractions/fonts>
20
#include <abstractions/X>
22
# Apps fail to start when linked against newer curl/gnutls if we don't allow
23
# this. (LP: #1350152)
24
#include <abstractions/openssl>
27
#include <abstractions/mir>
29
# Needed by native GL applications on Mir
30
owner /{,var/}run/user/*/mir_socket rw,
32
# Hardware-specific accesses
33
#include "/usr/share/apparmor/hardware/graphics.d"
36
# IPC rules common for all apps
38
# Allow connecting to session bus and where to connect to services
39
#include <abstractions/dbus-session-strict>
41
# Allow connecting to system bus and where to connect to services. Put these
42
# here so we don't need to repeat these rules in multiple places (actual
43
# communications with any system services is mediated elsewhere). This does
44
# allow apps to brute-force enumerate system services, but our system
45
# services aren't a secret.
46
#include <abstractions/dbus-strict>
51
path="/BottomBarVisibilityCommunicator"
52
interface="org.freedesktop.DBus.{Introspectable,Properties}"
53
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator,label=unconfined),
56
path="/BottomBarVisibilityCommunicator"
57
interface="com.canonical.Shell.BottomBarVisibilityCommunicator"
58
peer=(label=unconfined),
64
path="/com/canonical/hud"
65
interface="org.freedesktop.DBus.Properties"
67
peer=(label=unconfined),
70
path="/com/canonical/hud"
71
interface="com.canonical.hud"
72
member="RegisterApplication"
73
peer=(label=unconfined),
76
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*
77
peer=(label=unconfined),
80
path="/com/canonical/hud/publisher*"
81
interface="org.gtk.Menus"
83
peer=(label=unconfined),
86
path="/com/canonical/hud/publisher*"
87
interface="org.gtk.Menus"
89
peer=(label=unconfined),
92
path="/com/canonical/hud/publisher*"
93
interface="org.gtk.Menus"
95
peer=(name=org.freedesktop.DBus,label=unconfined),
98
path="/com/canonical/unity/actions"
99
interface=org.gtk.Actions
100
member={DescribeAll,Activate}
101
peer=(label=unconfined),
104
path="/com/canonical/unity/actions"
105
interface=org.gtk.Actions
107
peer=(name=org.freedesktop.DBus,label=unconfined),
111
interface=org.gtk.Actions
113
peer=(label=unconfined),
116
path="/com/canonical/hud"
117
interface="com.canonical.hud"
118
member="UpdatedQuery"
119
peer=(label=unconfined),
122
interface="com.canonical.hud.Awareness"
123
member="CheckAwareness"
124
peer=(label=unconfined),
126
# on screen keyboard (OSK)
129
path="/org/maliit/server/address"
130
interface="org.freedesktop.DBus.Properties"
132
peer=(name=org.maliit.server,label=unconfined),
133
unix (connect, receive, send)
135
peer=(addr="@/tmp/maliit-server/dbus-*"),
137
# clipboard (LP: #1371170)
140
path="/com/canonical/QtMir/Clipboard"
141
interface="com.canonical.QtMir.Clipboard"
142
peer=(label=unconfined),
145
path="/com/canonical/QtMir/Clipboard"
146
interface="org.freedesktop.DBus.{Introspectable,Properties}"
147
peer=(label=unconfined),
152
path=/com/canonical/usensord/haptic
153
interface=com.canonical.usensord.haptic
154
peer=(label=unconfined),
156
# URL dispatcher. All apps can call this since:
157
# a) the dispatched application is launched out of process and not
158
# controllable except via the specified URL
159
# b) the list of url types is strictly controlled
160
# c) the dispatched application will launch in the foreground over the
164
path="/com/canonical/URLDispatcher"
165
interface="com.canonical.URLDispatcher"
167
peer=(label=unconfined),
169
# This is needed when the app is already running and needs to be passed in
170
# a URL to open. This is most often used with content-hub providers and
171
# url-dispatcher, but is actually supported by Qt generally (though because
172
# we don't allow the send a malicious app can't send this to another app).
176
interface="org.freedesktop.Application"
178
peer=(label=unconfined),
180
# This is needed for apps to interact with the Launcher (eg, for the counter)
183
path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
184
peer=(label=unconfined),
186
# Untrusted Helpers are 3rd party apps that run in a different confinement
187
# context and are in a separate Mir session from the calling app (eg, an
188
# app that uses a content provider from another app). These helpers use
189
# Trusted Prompt Sessions to overlay their window over the calling app and
190
# need to get the Mir socket that was setup by the associated trusted helper
191
# (eg, content-hub). Typical consumers are content-hub providers,
192
# pay-service, url-dispatcher and possibly online-accounts.
193
# LP: #1462492 - this rule is suboptimal and should not be needed once we
194
# move to socket activation or FD passing
196
path=/com/canonical/UbuntuAppLaunch/@{APP_ID_DBUS}/*
197
interface="com.canonical.UbuntuAppLaunch.SocketDemangler"
198
member="GetMirSocket"
200
peer=(label=unconfined),
201
# Allow access to the socket-demangler (needed for the above)
202
/usr/lib/@{multiarch}/ubuntu-app-launch/socket-demangler rmix,
204
# TODO: finetune this
207
peer=(name=org.a11y.Bus,label=unconfined),
210
interface=org.a11y.atspi**
211
peer=(label=unconfined),
214
peer=(label=unconfined),
216
# Deny potentially dangerous access
217
deny dbus bus=session
218
path=/com/canonical/[Uu]nity/[Dd]ebug**,
219
audit deny dbus bus=session
220
interface="com.canonical.snapdecisions",
223
interface="org.gnome.GConf.Server",
227
path="/org/freedesktop/Accounts",
231
name="org.freedesktop.Application",
234
# end DBus rules common for all apps
237
# Don't allow apps to access scope endpoints
238
audit deny /run/user/[0-9]*/zmq/ rw,
239
audit deny /run/user/[0-9]*/zmq/** rwk,
241
# Explicitly deny dangerous access
242
audit deny /dev/input/** rw,
243
deny /dev/fb0 rw, # don't use 'audit' since it is too noisy with the camera
247
deny /run/user/[0-9]*/dconf/user rw,
248
deny owner @{HOME}/.config/dconf/user r,
249
deny /custom/etc/dconf_profile r,
252
deny @{HOME}/.cache/QML/Apps/ r,
254
# subset of GNOME stuff
255
/{,custom/}usr/share/icons/** r,
256
/{,custom/}usr/share/themes/** r,
258
/usr/lib{,32,64}/pango/** mr,
259
/usr/lib/@{multiarch}/pango/** mr,
260
/usr/share/icons/*/index.theme rk,
261
/usr/share/unity/icons/** r,
262
/usr/share/thumbnailer/icons/** r,
265
/custom/xdg/data/themes/ r,
266
/custom/xdg/data/themes/** r,
267
/custom/usr/share/fonts/ r,
268
/custom/usr/share/fonts/** r,
271
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
272
owner @{HOME}/.config/ibus/ r,
273
owner @{HOME}/.config/ibus/bus/ r,
274
owner @{HOME}/.config/ibus/bus/* r,
275
deny @{HOME}/.config/ibus/bus/ w, # noisy and unneeded
277
# subset of freedesktop.org
278
/usr/share/mime/** r,
279
owner @{HOME}/.local/share/mime/** r,
280
owner @{HOME}/.config/user-dirs.dirs r,
282
/usr/share/glib*/schemas/gschemas.compiled r,
284
# various /proc entries (be careful to not allow things that can be used to
285
# enumerate installed apps-- this will be easier once we have a PID kernel
287
@{PROC}/interrupts r,
288
owner @{PROC}/cmdline r,
289
owner @{PROC}/[0-9]*/auxv r,
290
owner @{PROC}/[0-9]*/fd/ r,
291
owner @{PROC}/[0-9]*/status r,
292
owner @{PROC}/[0-9]*/task/ r,
293
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
294
# FIXME: this leaks running process. Is it actually required? AppArmor kernel
295
# var could solve this
296
owner @{PROC}/[0-9]*/cmdline r,
299
/{,var/}run/shm/hybris_shm_data rw, # FIXME: LP: #1226569 (make app-specific)
300
/usr/lib/@{multiarch}/libhybris/*.so mr,
301
/{,android/}system/build.prop r,
302
# These libraries can be in any of:
306
# /android/vendor/lib
307
# /android/system/lib
308
# /android/system/vendor/lib
309
/{,android/}vendor/lib/** r,
310
/{,android/}vendor/lib/**.so m,
311
/{,android/}system/lib/** r,
312
/{,android/}system/lib/**.so m,
313
/{,android/}system/vendor/lib/** r,
314
/{,android/}system/vendor/lib/**.so m,
316
# attach_disconnected path
317
/dev/socket/property_service rw,
319
# Android logging triggered by platform. Can safely deny
321
deny /dev/log_main w,
322
deny /dev/log_radio w,
323
deny /dev/log_events w,
324
deny /dev/log_system w,
327
deny @{PROC}/xlog/ r,
328
deny @{PROC}/xlog/* rw,
330
# Lttng tracing. Can safely deny. LP: #1260491
331
deny /{,var/}run/shm/lttng-ust-* r,
334
deny /dev/cpuctl/apps/tasks w,
335
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
337
/sys/devices/system/cpu/ r,
338
/sys/kernel/debug/tracing/trace_marker w,
340
/etc/udev/udev.conf r,
341
/sys/devices/pci[0-9]*/**/uevent r,
342
# Not required, but noisy
343
deny /run/udev/data/** r,
346
# thumbnailing helper
348
/usr/lib/@{multiarch}/thumbnailer/vs-thumb ixr,
349
deny @{HOME}/.cache/tncache-write-text.null w, # silence access test
350
# FIXME: this leaks running process. AppArmor kernel var could solve this
351
owner @{PROC}/[0-9]*/attr/current r,
352
# Allow communications with thumbnailer for thumbnailing local files
355
interface="org.freedesktop.DBus.Introspectable"
356
path="/com/canonical/Thumbnailer"
358
peer=(label=unconfined),
361
path="/com/canonical/Thumbnailer"
362
interface="com.canonical.Thumbnailer"
363
member="GetThumbnail"
364
peer=(label=unconfined),
367
# apps may always use vibrations
369
/sys/class/timed_output/vibrator/enable rw,
370
/sys/devices/virtual/timed_output/vibrator/enable rw,
373
# apps may always use the accelerometer and orientation sensor
375
/etc/xdg/QtProject/Sensors.conf r,
380
/usr/share/qtchooser/ r,
381
/usr/share/qtchooser/** r,
382
/usr/lib/@{multiarch}/qt5/bin/qmlscene ixr,
384
owner @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini rk,
385
audit deny @{HOME}/.config/{UITK,ubuntu-ui-toolkit}/theme.ini w,
390
/usr/share/cordova-ubuntu*/ r,
391
/usr/share/cordova-ubuntu*/** r,
393
# Launching under upstart requires this
394
/usr/bin/qtchooser rmix,
395
/usr/bin/cordova-ubuntu* rmix,
397
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner rix,
399
# GStreamer binary registry - hybris pulls this in for everything now, not
401
owner @{HOME}/.gstreamer*/registry.*.bin* r,
402
deny @{HOME}/.gstreamer*/registry.*.bin* w,
403
deny @{HOME}/.gstreamer*/ w,
404
owner @{HOME}/.cache/gstreamer*/registry.*.bin* r,
405
deny @{HOME}/.cache/gstreamer*/registry.*.bin* w,
406
deny @{HOME}/.cache/gstreamer*/ w,
407
# gstreamer writes JIT compiled code in the form of orcexec.* files. Various
408
# locations are tried so silence the ones we won't permit anyway
409
deny /tmp/orcexec* w,
410
deny /{,var/}run/user/*/orcexec* w,
411
deny @{HOME}/orcexec* w,
413
/{,android/}system/etc/media_codecs.xml r,
414
/etc/wildmidi/wildmidi.cfg r,
416
# Don't allow plugins in webviews for now
417
deny /usr/lib/@{multiarch}/qt5/libexec/QtWebPluginProcess rx,
419
# cordova-ubuntu wants to runs lsb_release, which is a python program and we
420
# don't want to give access to that. cordova-ubuntu will fallback to
421
# examining /etc/lsb-release directly, which is ok. If needed, we can lift
422
# the denial and ship a profile for lsb_release and add a Pxr rule
423
deny /usr/bin/lsb_release rx,
428
# Application install dirs
432
@{CLICK_DIR}/@{APP_PKGNAME}/ r,
433
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r,
434
@{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix,
436
# Packages shipped as debs have their install directory in /usr/share
437
/usr/share/@{APP_PKGNAME}/ r,
438
/usr/share/@{APP_PKGNAME}/** mrklix,
441
# Application writable dirs
444
# FIXME: LP: #1197060, LP: #1377648 (don't remove until qtwebkit is off the
446
owner /{,run/}shm/WK2SharedMemory.[0-9]* rwk,
448
# FIXME: LP: #1370218
449
owner /{run,dev}/shm/shmfd-* rwk,
451
# Allow writes to various (application-specific) XDG directories
452
owner @{HOME}/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
453
owner @{HOME}/.cache/@{APP_PKGNAME}/** mrwkl,
454
owner @{HOME}/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
455
owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,
456
owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
457
owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,
458
owner /{,var/}run/user/*/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
459
owner /{,var/}run/user/*/@{APP_PKGNAME}/** mrwkl,
460
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR (for TMPDIR)
461
owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,
463
# Allow writes to application-specific QML cache directories
464
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
465
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,