Skip to content

Instantly share code, notes, and snippets.

@ArtemGr

ArtemGr/acroread

Created April 9, 2010 10:12
Show Gist options
  • Save ArtemGr/361035 to your computer and use it in GitHub Desktop.
Save ArtemGr/361035 to your computer and use it in GitHub Desktop.
Download ZIP
AppArmor Debian Squeeze profiles
Raw
acroread
# Last Modified: Tue Apr 13 15:45:46 2010
#include <tunables/global>
/usr/bin/acroread {
#include <abstractions/base>
/bin/dash ix,
/etc/dpkg/dpkg.cfg r,
/etc/dpkg/dpkg.cfg.d/ r,
/proc/filesystems r,
/usr/bin/acroread r,
/usr/bin/dpkg rix,
/usr/lib/Adobe/Reader8/bin/acroread-en cx,
/usr/lib/Adobe/Reader9/bin/acroread-en cx,
profile /usr/lib/Adobe/Reader{8,9}/bin/acroread-en {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/nameservice>
# Acrobat Reader 8 (from "stable").
/etc/gre.d/1.9.1.system.conf r,
owner /home/*/.adobe/Acrobat/8.0/{,**} mrwk,
/usr/lib/Adobe/Reader8/Reader/intellinux/bin/acroread mr,
/usr/lib/Adobe/Reader8/Reader/intellinux/plug_ins/*.api mr,
/bin/sed rix,
/bin/grep rix,
/bin/cat rix,
/bin/cp rix,
/bin/mkdir rix,
/bin/pwd rix,
/bin/rm rix,
/bin/uname rix,
/bin/which px,
owner /dev/shm/sem.* mrwl,
#/etc/passwd mr,
/etc/gre.d/ r,
owner /home/*/.Xauthority r,
owner /home/*/.fontconfig/ rw,
owner /home/*/.fontconfig/* mrw,
owner /home/*/.adobe/ rw,
owner /home/*/.adobe/Acrobat/ rw,
owner /home/*/.adobe/Acrobat/9.0/ rw,
owner /home/*/.adobe/Acrobat/9.0/** mrk,
owner /home/*/.adobe/Acrobat/9.0/Preferences/{,**} w,
owner /home/*/.adobe/Acrobat/9.0/Cert/curl-ca-bundle.crt w,
owner /home/*/.adobe/Acrobat/9.0/SharedDataEvents wk,
owner /home/*/.adobe/Acrobat/9.0/SharedDataEvents-journal w,
owner /home/*/.adobe/Acrobat/9.0/UserCache.bin w,
owner /home/*/.adobe/Acrobat/9.0/JavaScripts/{,*} w,
owner /home/*/.adobe/Acrobat/9.0/{TMGrpPrm,TMDocs}.sav w,
owner /home/*/.adobe/Acrobat/9.0/Synchronizer/{,*} w,
owner /home/*/.adobe/Acrobat/9.0/Cache/Search/{,*} w,
owner /home/*/.adobe/Acrobat/9.0/Collab/{,*} rw,
owner /home/*/.adobe/Acrobat/9.0/Collab/Temp/{,*} rw,
owner /home/*/.adobe/Acrobat/9.0/Forms/{,*} rw,
owner /home/*/.adobe/Acrobat/9.0/Cert/{,*} rw,
owner /home/*/.mozilla/firefox/*.default/Cache/* r,
owner /home/*/.local/share/icons/ r,
owner /home/*/Desktop/{,**} r,
owner /proc/*/mounts r,
/proc/filesystems r,
/proc/meminfo r,
/usr/bin/basename rix,
/usr/bin/cut ix,
/usr/bin/xargs ix,
/usr/bin/expr ix,
/usr/bin/dirname rix,
/usr/bin/gconftool-2 rix,
/usr/bin/test rix,
/usr/lib/iceweasel/iceweasel px,
/usr/lib/Adobe/Reader9/Reader/intellinux/bin/acroread rix,
/usr/lib/Adobe/Reader9/Reader/intellinux/plug_ins/**.api mr,
/usr/lib/Adobe/Reader9/Reader/intellinux/SPPlugins/ADMPlugin.apl mr,
/usr/lib/Adobe/Reader9/Resource/Font/*.{PFB,otf} mr,
/usr/lib/Adobe/Reader9/Reader/DocSettings/ w,
/usr/share/ r,
/usr/share/mime/mime.cache mr,
/usr/local/share/ r,
/usr/share/fonts/{,**} mr,
/usr/share/texmf/fonts/**{/,.pfb,.afm} r,
/usr/share/icons/hicolor/icon-theme.cache mr,
}
}
Raw
bin.ps
# Last Modified: Fri Apr 9 00:12:39 2010
#include <tunables/global>
/bin/ps {
#include <abstractions/base>
#include <abstractions/nameservice>
capability dac_override,
capability dac_read_search,
capability sys_ptrace,
/dev/tty r,
/proc/ r,
/proc/*/cmdline r,
/proc/*/attr/current r,
/proc/*/stat r,
/proc/*/status r,
/proc/*/wchan r,
/proc/meminfo r,
/proc/stat r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
/proc/uptime r,
/proc/version r,
}
Raw
bin.pwd
# Last Modified: Thu Apr 8 22:43:19 2010
#include <tunables/global>
/bin/pwd {
#include <abstractions/base>
}
Raw
bin.which
# Last Modified: Thu Apr 8 21:31:38 2010
#include <tunables/global>
/bin/which {
#include <abstractions/base>
/bin/dash ix,
/bin/which r,
}
Raw
firefox
# Last Modified: Fri Apr 9 13:06:45 2010
#include <tunables/global>
/usr/lib/xulrunner-*/xulrunner-stub {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/gnome>
#include <abstractions/nameservice>
network inet stream,
/bin/dash cx,
/etc/iceweasel/** r,
/etc/java-6-sun/logging.properties r,
/etc/java-6-sun/security/java.security r,
/etc/mailcap r,
/etc/mime.types r,
/etc/mtab r,
/etc/timezone r,
owner /home/*/.Xauthority r,
owner /home/*/.adobe/Flash_Player/** r,
owner /home/*/.esd_auth r,
owner /home/*/.java/deployment/deployment.properties rwk,
owner /home/*/.local/share/icons** r,
owner /home/*/.local/share/mime/* r,
owner /home/*/.macromedia/Flash_Player/#SharedObjects/ r,
owner /home/*/.macromedia/Flash_Player/#SharedObjects/** rw,
owner /home/*/.macromedia/Flash_Player/macromedia.com/support/** rw,
owner /home/*/.mozilla/extensions/** r,
owner /home/*/.mozilla/firefox/** rwk,
owner /home/*/.gnashrc r,
owner /home/*/{Downloads,Desktop}/ r,
owner /home/*/{Downloads,Desktop}/** rwk,
/proc/filesystems r,
owner /proc/*/mounts r,
owner /proc/*/fd/ r,
/var/lib/dbus/machine-id r,
/sys/devices/system/cpu/ r,
/usr/bin/transmission px,
/usr/lib/jvm/java-6-sun-1.6.*.*/jre/bin/java cx,
/usr/share/hunspell** r,
/usr/share/iceweasel/** r,
/usr/share/mozilla/** r,
/usr/share/xulrunner-*/** r,
/usr/share/libthai/thbrk.tri r,
# Self-restart
/usr/lib/xulrunner-*/xulrunner-stub px,
# Adobe Acrobat 9 (via "mozilla-acroread")
/usr/lib/nspluginwrapper/plugins/npwrapper.nppdf.so mr,
/usr/lib/nspluginwrapper/i386/linux/npviewer ix,
/usr/lib/nspluginwrapper/i386/linux/npviewer.bin ix,
/usr/lib/Adobe/Reader9/Browser/intellinux/nppdf.so mr,
/bin/uname ix,
/bin/which px,
/bin/ps px,
/bin/grep ix,
/usr/bin/setarch ix,
/usr/bin/acroread px,
/usr/bin/tr ix,
# Adobe Acrobat 8 (via "mozilla-acroread")
/usr/lib/Adobe/Reader8/Browser/intellinux/nppdf.so mr,
# Gnash
/usr/bin/gtk-gnash ix,
/etc/gnashrc r,
/etc/gnashpluginrc r,
/usr/share/gnash/GnashG.png r,
/usr/share/gnash/gnash_128_96.ico r,
owner /home/*/.gnash/SharedObjects/**.sol wr,
# Iceweasel 4, flash.
/usr/lib/xulrunner-*/plugin-container ix,
# External editors for "It's All Text"
/usr/bin/jedit rix,
profile /bin/dash {
#include <abstractions/base>
/bin/grep rix,
/bin/ps px,
/bin/which px,
/bin/uname ix,
# Adobe Acrobat 8 (via "mozilla-acroread")
/usr/lib/nspluginwrapper/i386/linux/npviewer ix,
/usr/lib/nspluginwrapper/i386/linux/npviewer.bin ix,
/usr/lib/Adobe/Reader8/Browser/intellinux/nppdf.so mr,
/usr/bin/setarch ix,
# Adobe Acrobat 9 (via "mozilla-acroread")
/usr/lib/Adobe/Reader9/Browser/intellinux/nppdf.so mr,
/usr/bin/tr ix,
}
profile /usr/lib/jvm/java-6-sun-1.6.*.*/jre/bin/java {
#include <abstractions/base>
#include <abstractions/gnome>
#include <abstractions/nameservice>
/etc/java-6-sun/** r,
/etc/passwd mr,
/etc/timezone r,
owner /home/*/.RealtyAdmin.db rw,
owner /home/*/.Xauthority r,
owner /home/*/.java/.userPrefs/** rwk,
owner /home/*/.java/deployment/** mrwk,
owner /home/*/.mozilla/appreg r,
/proc/*/net/if_inet6 r,
/proc/*/net/ipv6_route r,
/sys/devices/system/cpu/ r,
/tmp/hsperfdata_*/* mrwlk,
/usr/lib/jvm/java-6-sun-1.6.*.*/jre/bin/java rix,
/usr/lib{,32,64}/** mr,
/usr/share/fonts/type1/gsfonts/*.pfb r,
# External editors for "It's All Text"
/usr/share/jEdit/jedit.jar rm,
owner /home/*/.jedit/** rmwk,
/usr/share/jEdit/** rmk,
owner /home/*/.mozilla/firefox/*/itsalltext/* rwmk,
/bin/chmod ix,
}
}
Raw
icedove
# Last Modified: Fri Apr 9 13:26:42 2010
#include <tunables/global>
/usr/lib/icedove/icedove-bin {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/nameservice>
/etc/icedove/pref/ r,
/etc/icedove/pref/icedove.js r,
owner /home/*/.Xauthority r,
owner /home/*/.mozilla-thunderbird/** rwk,
owner /home/*/{Downloads,Desktop}/ r,
owner /home/*/{Downloads,Desktop}/** rw,
owner /home/*/.cache/event-sound-cache* rwk,
/proc/filesystems r,
/usr/lib/iceweasel/iceweasel px,
/usr/lib/icedove/update.test rw,
/usr/share/hunspell/* r,
/usr/share/icedove/** r,
/usr/share/icedove/chrome/app-chrome.manifest rw,
/usr/share/myspell/** r,
# Self-restarts.
/usr/lib/icedove/icedove-bin ix,
# Upgrade to icedove 3.0.4.
owner /home/*/.icedove/profiles.ini r,
owner /home/*/.icedove/*.default/{,**} rwk,
owner /home/*/.mozilla/extensions/** rw,
owner /home/*/.local/share/icons/{,*} r,
owner /home/*/.esd_auth r,
/etc/{mime.types,mailcap,rpc,mtab} r,
/usr/share/hunspell/{,*} r,
/usr/bin/sensible-browser rix,
owner @{HOME}/.local/share/mime/* r,
# Generic plugins.
/usr/lib/nspluginwrapper/plugins/*.so rm,
}
Raw
iceweasel
# Last Modified: Sat Apr 10 14:10:21 2010
#include <tunables/global>
/usr/lib/iceweasel/iceweasel {
#include <abstractions/base>
#include <abstractions/nameservice>
/bin/dash ix,
/bin/readlink rix,
/bin/which rpx,
/etc/iceweasel/iceweaselrc r,
owner /home/*/.Xauthority r,
/proc/cpuinfo r,
/proc/filesystems r,
/usr/bin/dirname px,
/usr/lib/xulrunner-1.9.1/xulrunner-stub px,
/usr/lib/xulrunner-2.0/xulrunner-stub px, # Firefox 4.
}
Raw
psi
# Last Modified: Sat Apr 10 14:10:21 2010
#include <tunables/global>
/usr/bin/psi {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/nameservice>
owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.psi/psirc rwk,
owner @{HOME}/.psi/profiles/ r,
owner /home/*/.psi/avatars/* rw,
owner /home/*/.psi/profiles/default/options.xml{,.backup,.temp} rw,
owner /home/*/.psi/profiles/default/accounts.xml{,.backup,.temp} rw,
owner /home/*/.psi/profiles/default/events-gmail.com.xml{,.backup,.temp} rw,
owner /home/*/.psi/profiles/default/vcard/*.xml{,.backup,.temp} rw,
owner /home/*/.psi/profiles/default/history/*.history rw,
owner /home/*/.psi/avatars/* r,
owner /home/*/.psi/caps.xml rw,
owner /home/*/.psi/tmp-sounds/ rw,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/icons/hicolor/index.theme r,
/usr/share/psi/iconsets/roster/*.jisp r,
/usr/share/psi/certs/{,*} r,
/etc/debian_version r,
# Opens a browser for clickable URLs.
/usr/bin/xdg-open px,
# Play sounds.
/usr/bin/aplay px,
# Language.
/var/lib/aspell/en-common.rws r,
# Explicitly deny /proc access in order to keep the audit log clean.
deny /proc/*/net/ipv6_route r,
deny /proc/*/net/route r,
deny /proc/*/net/if_inet6 r,
}
Raw
rsyslogd
# Last Modified: Sun Apr 11 14:16:29 2010
#include <tunables/global>
/usr/sbin/rsyslogd {
#include <abstractions/base>
#include <abstractions/nameservice>
capability sys_admin,
owner /dev/tty rw,
owner /dev/xconsole rw,
owner /etc/rsyslog.conf r,
owner /etc/rsyslog.d/{,**} r,
owner /proc/kmsg r,
/usr/lib/rsyslog/*.so mr,
owner /var/log/** rw,
/var/spool/postfix/dev/log rw,
owner /var/run/rsyslogd.pid rwk,
}
Raw
sbin.dhclient3
# Last Modified: Sun Apr 11 14:29:19 2010
#include <tunables/global>
/sbin/dhclient3 {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/nis>
capability net_admin,
capability net_bind_service,
capability net_raw,
network packet packet,
/bin/chmod rix,
/bin/chown rix,
/bin/mv rix,
/bin/rm rix,
/bin/run-parts rix,
owner /etc/dhcp3/dhclient-{enter,exit}-hooks.d/{,*} r,
owner /etc/dhcp3/dhclient.conf r,
owner /etc/resolv.conf.dhclient-new rw,
owner /etc/resolv.conf w,
owner /proc/*/net/dev r,
owner /proc/filesystems r,
owner /proc/meminfo r,
/sbin/dhclient-script rix,
/sbin/ifconfig rix,
/sbin/route rix,
/usr/sbin/avahi-autoipd rix,
owner /var/lib/dhcp3/dhclient.leases rw,
owner /var/lib/wicd/dhclient.conf r,
owner /var/run/dhclient.pid rw,
}
Raw
skype
# Last Modified: Fri Apr 9 15:04:10 2010
#include <tunables/global>
/usr/bin/skype {
#include <abstractions/X>
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
/dev/ r,
/dev/snd/* mrw,
/dev/video0 mrw,
/etc/group mr,
owner /home/*/.Skype/ rw,
owner /home/*/.Skype/** rwk,
owner /home/*/.Xauthority r,
owner /home/*/.config/Trolltech.conf rwk,
owner /home/*/.fontconfig/* mr,
owner /home/*/.mozilla/ r,
owner /home/*/.mozilla/** r,
/proc/*/net/route r,
/proc/sys/kernel/os{type,release} r,
/sys/devices/system/cpu/ r,
/usr/bin/xdg-open rpx,
/usr/share/fonts/** mr,
/usr/share/skype/** mrk,
}
Raw
transmission
# Last Modified: Sat Apr 10 14:10:21 2010
#include <tunables/global>
/usr/bin/transmission {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/perl>
/ r,
/bin/grep rix,
/bin/which rpx,
/etc/iceweasel/iceweaselrc r,
/etc/mailcap r,
owner /home/*/ r,
owner /home/*/.Xauthority r,
owner /home/*/.config/gtk-2.0/* r,
owner /home/*/.config/transmission/** rwk,
owner /home/*/.esd_auth r,
owner /home/*/.local/share/icons/ r,
owner /home/*/.local/share/mime/* r,
owner /home/*/{Desktop,Downloads}/ r,
owner /home/*/{Desktop,Downloads}/** rw,
owner /home/*/.config/gtk-2.0/gtkfilechooser.ini.SEBGBV rw,
owner /home/*/.local/share/Trash/** w,
owner /home/*/.cache/event-sound-cache.* rwk,
owner /home/*/.cache/transmission/ rw,
owner /home/*/.cache/transmission/favicons/{,*} rw,
/proc/cpuinfo r,
/proc/filesystems r,
/usr/bin/dbus-send rix,
/usr/bin/dirname px,
/usr/bin/run-mailcap rix,
/usr/bin/sensible-browser rix,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-open rpx,
/usr/bin/xprop rix,
/usr/lib/iceweasel/iceweasel px,
/usr/lib/xulrunner-1.9.1/xulrunner-stub px,
}
Raw
usr.bin.aplay
# Last Modified: Sat Apr 10 14:10:21 2010
#include <tunables/global>
/usr/bin/aplay {
#include <abstractions/base>
/etc/nsswitch.conf r,
/etc/group r,
/usr/share/alsa/*.conf r,
/usr/share/alsa/cards/*.conf r,
/usr/share/alsa/pcm/*.conf r,
/dev/snd/* rw,
/usr/share/psi/sound/*.wav r,
}
Raw
usr.bin.xdg-open
# Last Modified: Sat Apr 10 14:10:21 2010
#include <tunables/global>
/usr/bin/xdg-open {
#include <abstractions/base>
#include <abstractions/perl>
/bin/egrep rix,
/bin/sed ix,
/bin/tempfile ix,
/bin/dash ix,
/bin/grep rix,
/bin/which rpx,
/etc/mailcap r,
/etc/magic r,
/etc/mime.types r,
owner /home/*/.Xauthority r,
/proc/filesystems r,
owner /tmp/file* rw,
/usr/bin/cut ix,
/usr/bin/dbus-send rix,
/usr/bin/file ix,
/usr/bin/run-mailcap rix,
/usr/bin/sensible-browser rix,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-open r,
/usr/bin/xprop rix,
/usr/lib/iceweasel/iceweasel px,
/usr/share/file/magic.mgc r,
/usr/share/file/magic r,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment