Skip to content
Browse files

Add in a pidgin aa-profile which is less restrictive on network conne…

…ctions than the proxy(tor) specific aa-profile.

Signed-off-by: David b <db@d1b.org>
  • Loading branch information...
1 parent 8b01deb commit 2cf79b792c0719cee67d56b3112b222017f18762 @d1b committed Apr 14, 2012
Showing with 96 additions and 0 deletions.
  1. +96 −0 policies/usr.bin.pidgin
View
96 policies/usr.bin.pidgin
@@ -0,0 +1,96 @@
+#
+# AppArmor Pidgin profile for Ubuntu 11.04 Natty
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+
+#include <tunables/global>
+/usr/bin/pidgin {
+ #include <abstractions/audio>
+ #include <abstractions/aspell>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/dbus>
+ #include <abstractions/dbus-session>
+ #include <abstractions/gnome>
+ #include <abstractions/ibus>
+ #include <abstractions/launchpad-integration>
+ #include <abstractions/python>
+ #include <abstractions/private-files>
+ #include <abstractions/nameservice>
+ #include <abstractions/ssl_certs>
+ #include <abstractions/user-download>
+ #include <abstractions/ubuntu-browsers>
+
+ #capability sys_ptrace,
+
+ #owner @{HOME}/ r,
+ owner @{HOME}/.config/enchant/ rw,
+ owner @{HOME}/.config/enchant/* rwk,
+ owner @{HOME}/.thumbnails/normal/*.png r,
+ owner @{HOME}/.local/share/icons/ r,
+ owner @{HOME}/.local/share/mime/* r,
+ owner @{HOME}/.gnome2/nautilus-sendto/** rw,
+ owner @{HOME}/.gstreamer*/ rw,
+ owner @{HOME}/.gstreamer*/** rw,
+ owner @{HOME}/.pulse/ rw,
+ owner @{HOME}/.pulse/** rw,
+ owner @{HOME}/.pulse-cookie rwk,
+ owner @{HOME}/.purple/ rw,
+ owner @{HOME}/.purple/** rwk,
+
+ # network code
+ # Only allow tcp - set a global proxy to hit only Tor
+ network inet stream, # tcp stream
+ # No ipv4 udp
+ network inet dgram, # udp
+ # No ipv6 tcp/udp
+ network inet6 stream, # tcp
+ network inet6 dgram, # udp
+
+ #/bin/dash rix,
+
+ /etc/ r,
+ /etc/pulse/client.conf r,
+
+ /dev/shm/ r,
+ owner /dev/shm/* rw,
+ owner /tmp/orbit-*/* w,
+ owner /tmp/pulse-*/* w,
+ owner /tmp/orcexec.* m,
+ owner @{PROC}/[0-9]*/fd/ r,
+
+ # Investigation
+ #audit /sys/ r,
+ #audit /sys/** r,
+
+ /usr/bin/gconftool-2 rix,
+ /usr/bin/gnome-default-applications-properties ix,
+ /usr/bin/gnome-network-preferences ix,
+ /usr/bin/gnome-open rmix,
+ /usr/bin/pidgin r,
+ /usr/bin/xdg-open rmix,
+
+ /usr/lib/ r,
+ /usr/lib/libvisual-*/**.so rm,
+ /usr/lib/pidgin/*.so rm,
+ /usr/lib/purple*/*.so rm,
+
+ /usr/share/ca-certificates/*/** r,
+ /usr/share/enchant/enchant.ordering r,
+ /usr/share/locale-langpack/** rm,
+ /usr/share/purple/ca-certs/ r,
+ /usr/share/purple/ca-certs/** r,
+ /usr/share/myspell/dicts/ r,
+ /usr/share/myspell/dicts/** r,
+ /usr/share/tcltk/** r,
+ /usr/share/hunspell/ r,
+ /usr/share/hunspell/** r,
+ /usr/share/themes/ r,
+ /usr/share/themes/** r,
+
+ # abstraction/python misses this
+ /usr/include/python2.7/** r,
+}

0 comments on commit 2cf79b7

Please sign in to comment.
Something went wrong with that request. Please try again.