AppArmor Profiles

Merge lp:~elmo/apparmor-profiles/worldofgoo into lp:apparmor-profiles

  1. worldofgoo
  2. Merge into master
Proposed by James Troup
Status: Merged
Merge reported by: Jamie Strandboge
Merged at revision: not available
Proposed branch: lp:~elmo/apparmor-profiles/worldofgoo
Merge into: lp:apparmor-profiles
Diff against target: 46 lines (+42/-0)
1 file modified
ubuntu/11.10/opt.WorldOfGoo.WorldOfGoo (+42/-0)
To merge this branch: bzr merge lp:~elmo/apparmor-profiles/worldofgoo
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Review via email: mp+86128@code.launchpad.net

Description of the change

Add a profile for World of Goo

To post a comment you must log in.
Revision history for this message
Simon Déziel (sdeziel) wrote :

James, I haven't tested the profile you're proposing but I was wondering if that would be possible to restrict the access to Pulse SHM files only to owners ?

owner /run/shm/pulse-shm-* mr,

lp:~elmo/apparmor-profiles/worldofgoo updated
83. By James Troup

Add @{HOME}/.WorldOfGoo/ top level directory as pointed out by Kees Cook. Add missing owner restrictions, suggested by Simon Déziel.

Revision history for this message
James Troup (elmo) wrote :

@sdeziel, good point. I've added a bunch of 'owner' restrictions to the profile in r83.

Revision history for this message
Jamie Strandboge (jdstrand) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/11.10/opt.WorldOfGoo.WorldOfGoo'
2--- ubuntu/11.10/opt.WorldOfGoo.WorldOfGoo 1970-01-01 00:00:00 +0000
3+++ ubuntu/11.10/opt.WorldOfGoo.WorldOfGoo 2011-12-20 01:29:24 +0000
4@@ -0,0 +1,42 @@
5+# vim:syntax=apparmor
6+# Author: James Troup <james.troup@canonical.com>
7+
8+#include <tunables/global>
9+
10+/opt/WorldOfGoo/WorldOfGoo {
11+ #include <abstractions/base>
12+ #include <abstractions/X>
13+ #include <abstractions/audio>
14+ #include <abstractions/dbus-session>
15+
16+ # For the wrapper script
17+ /bin/dash ix,
18+ /bin/readlink rix,
19+ /bin/uname rix,
20+ /usr/bin/dirname rix,
21+
22+ # The game itself
23+ /opt/WorldOfGoo/** r,
24+ /opt/WorldOfGoo/WorldOfGoo.bin32 rix,
25+ /opt/WorldOfGoo/WorldOfGoo.bin64 rix,
26+
27+ /usr/bin/gnome-screensaver-command rix,
28+
29+ owner @{HOME}/.WorldOfGoo/ rw,
30+ owner @{HOME}/.WorldOfGoo/** rw,
31+
32+ /etc/timidity/freepats.cfg r,
33+
34+ owner @{PROC}/[0-9]*/cmdline r,
35+ owner @{PROC}/[0-9]*/statm r,
36+ @{PROC}/filesystems r,
37+
38+ # World of Goo seems to like to mmap files more than some of the
39+ # abstractions allow for...
40+ owner /run/shm/pulse-shm-* mr,
41+ /usr/share/locale-langpack/** mr,
42+ /dev/dri/card0 mrw,
43+
44+ # https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/904548
45+ /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
46+}

Subscribers

People subscribed via source and target branches

to status/vote changes: