AppArmor Profiles

Merge ~intrigeri/apparmor-profiles/+git/apparmor-profiles:stricter-totem into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

  1. Git
  2. lp:~intrigeri/apparmor-profiles/+git/apparmor-profiles
  3. stricter-totem
  4. Merge into master
Proposed by intrigeri
Status: Merged
Merged at revision: bfc0bffc1ca87bd8cae4204cd3bdb62f20dd82ad
Proposed branch: ~intrigeri/apparmor-profiles/+git/apparmor-profiles:stricter-totem
Merge into: ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target: 209 lines (+63/-18)
6 files modified
ubuntu/17.04/abstractions/totem (+16/-3)
ubuntu/17.04/usr.bin.totem (+9/-2)
ubuntu/17.04/usr.bin.totem-previewers (+6/-4)
ubuntu/17.10/abstractions/totem (+17/-3)
ubuntu/17.10/usr.bin.totem (+9/-2)
ubuntu/17.10/usr.bin.totem-previewers (+6/-4)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+310120@code.launchpad.net
To post a comment you must log in.
Revision history for this message
intrigeri (intrigeri) wrote :

Note that https://code.launchpad.net/~intrigeri/apparmor/gnome-gtk3-config/+merge/310132 adds to https://git.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/commit/?id=9d99bd0f2a8824a96d8ef002532c57f6fa07482d and should probably be merged at the same time, in order to avoid a regression that https://git.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/commit/?id=2abc51352b59bf499682c8839ffc9fad9dc4b08f would otherwise cause.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

What motivated the change from ** to [a-zA-Z0-9]? This will prevent access to files in directories Видео/ or ビデオ/.

Thanks

Revision history for this message
intrigeri (intrigeri) wrote :

Hi!

Seth Arnold:
> What motivated the change from ** to [a-zA-Z0-9]?

Noticing that Totem had access e.g. to my OTR and GnuPG private keys,
which seems to void most of the purpose (for my use case at least) of
confining Totem in the first place. Basically, in my tests, the "**"
rule cancels the effect of private-files-strict.

> This will prevent access to files in directories Видео/ or ビデオ/.

Oops, good catch. Thank you! I'll resubmit something nicer (and
simpler), i.e. granting access to any file in $HOME, as long as the
name of the top-level sub-directory does not start with '.'.

Revision history for this message
intrigeri (intrigeri) wrote :

Updated!

Revision history for this message
intrigeri (intrigeri) wrote :

Merged current master, copied changes to 17.10. I've now been using these changes since more than 7 months on my main system, and didn't notice any issue. The concern raised by Seth during his first review pass was addressed a while ago :) Time for another review?

Revision history for this message
intrigeri (intrigeri) wrote :

Added one more Mesa-related rule to fix a problem reported on Debian (where I've already applied this MR).

Revision history for this message
intrigeri (intrigeri) wrote :

All concerns raised in the initial review have been addressed 10 months ago. Again, this changeset has been applied in Debian and Tails for a while, and nobody complained :)

Is there anything I can do to help speed this up?

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for your patience! Looks good, merged.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ubuntu/17.04/abstractions/totem b/ubuntu/17.04/abstractions/totem
2index 23eb217..09cc8bb 100644
3--- a/ubuntu/17.04/abstractions/totem
4+++ b/ubuntu/17.04/abstractions/totem
5@@ -30,13 +30,26 @@
6
7 /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
8
9- owner @{HOME}/.cache/tracker/meta.db k,
10- owner @{HOME}/.cache/tracker/meta.db-shm k,
11- owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm} k,
12+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
13+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
14+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
15+ owner @{HOME}/.cache/thumbnails/** rw,
16+ owner @{HOME}/.cache/totem/** rwk,
17+ owner @{HOME}/.cache/totem-* rwk,
18+ owner @{HOME}/.cache/tracker/db-locale.txt r,
19+ owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk,
20+ owner @{HOME}/.cache/tracker/ontologies.gvdb r,
21+ owner @{HOME}/.config/totem/ rwk,
22+ owner @{HOME}/.config/totem/** rwk,
23+ owner @{HOME}/.local/share/grilo-plugins/ rwk,
24+ owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
25+ owner @{HOME}/.local/share/gvfs-metadata/** r,
26+ owner @{HOME}/.local/share/totem/ rwk,
27
28 owner @{PROC}/@{pid}/status r,
29
30 /run/udev/data/c* r,
31 /run/udev/data/+drm:card* r,
32+ /run/udev/data/+usb* r,
33
34 /sys/devices/system/node/*/meminfo r,
35diff --git a/ubuntu/17.04/usr.bin.totem b/ubuntu/17.04/usr.bin.totem
36index 758efe3..cc59717 100644
37--- a/ubuntu/17.04/usr.bin.totem
38+++ b/ubuntu/17.04/usr.bin.totem
39@@ -6,6 +6,7 @@
40 /usr/bin/totem {
41 #include <abstractions/audio>
42 #include <abstractions/dconf>
43+ #include <abstractions/ibus>
44 #include <abstractions/python>
45 #include <abstractions/totem>
46
47@@ -14,16 +15,22 @@
48
49 /usr/bin/totem r,
50 /usr/bin/totem-video-thumbnailer Pix,
51+ /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
52 /dev/sr* r,
53
54- # Allow read and write on anything in @{HOME}. Lenient, but
55+ # Quiet logs
56+ deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
57+
58+ # Allow read and write on almost anything in @{HOME}. Lenient, but
59 # private-files-strict is in effect.
60 #include <abstractions/private-files-strict>
61- owner @{HOME}/** rw,
62+ owner @{HOME}/[^.]* rw,
63+ owner @{HOME}/[^.]*/** rw,
64
65 owner /{,var/}run/user/*/dconf/user w,
66 owner /{,var/}run/user/*/at-spi2-*/ rw,
67 owner /{,var/}run/user/*/at-spi2-*/** rw,
68
69 /sys/devices/pci[0-9]*/**/config r,
70+ /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
71 }
72diff --git a/ubuntu/17.04/usr.bin.totem-previewers b/ubuntu/17.04/usr.bin.totem-previewers
73index a632034..c883ab9 100644
74--- a/ubuntu/17.04/usr.bin.totem-previewers
75+++ b/ubuntu/17.04/usr.bin.totem-previewers
76@@ -6,16 +6,17 @@
77 /usr/bin/totem-video-thumbnailer {
78 #include <abstractions/totem>
79
80- # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
81+ # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
82 # effect.
83 #include <abstractions/private-files-strict>
84- owner @{HOME}/** r,
85+ owner @{HOME}/[^.]* rw,
86+ owner @{HOME}/[^.]*/** rw,
87
88 # Not needed by nautilus, but maybe other applications
89 owner /**.[pP][nN][gG] w,
90 owner /**.[jJ][pP]{,[eE]}[gG] w,
91
92- /usr/bin/totem-video-thumbnailer r,
93+ /usr/bin/totem-video-thumbnailer rm,
94 }
95
96 /usr/bin/totem-audio-preview {
97@@ -25,5 +26,6 @@
98 # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
99 # effect.
100 #include <abstractions/private-files-strict>
101- owner @{HOME}/** r,
102+ owner @{HOME}/[^.]* rw,
103+ owner @{HOME}/[^.]*/** rw,
104 }
105diff --git a/ubuntu/17.10/abstractions/totem b/ubuntu/17.10/abstractions/totem
106index 23eb217..e9c792c 100644
107--- a/ubuntu/17.10/abstractions/totem
108+++ b/ubuntu/17.10/abstractions/totem
109@@ -30,13 +30,27 @@
110
111 /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
112
113- owner @{HOME}/.cache/tracker/meta.db k,
114- owner @{HOME}/.cache/tracker/meta.db-shm k,
115- owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm} k,
116+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
117+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
118+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
119+ owner @{HOME}/.cache/mesa/** rwk,
120+ owner @{HOME}/.cache/thumbnails/** rw,
121+ owner @{HOME}/.cache/totem/** rwk,
122+ owner @{HOME}/.cache/totem-* rwk,
123+ owner @{HOME}/.cache/tracker/db-locale.txt r,
124+ owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk,
125+ owner @{HOME}/.cache/tracker/ontologies.gvdb r,
126+ owner @{HOME}/.config/totem/ rwk,
127+ owner @{HOME}/.config/totem/** rwk,
128+ owner @{HOME}/.local/share/grilo-plugins/ rwk,
129+ owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
130+ owner @{HOME}/.local/share/gvfs-metadata/** r,
131+ owner @{HOME}/.local/share/totem/ rwk,
132
133 owner @{PROC}/@{pid}/status r,
134
135 /run/udev/data/c* r,
136 /run/udev/data/+drm:card* r,
137+ /run/udev/data/+usb* r,
138
139 /sys/devices/system/node/*/meminfo r,
140diff --git a/ubuntu/17.10/usr.bin.totem b/ubuntu/17.10/usr.bin.totem
141index 758efe3..cc59717 100644
142--- a/ubuntu/17.10/usr.bin.totem
143+++ b/ubuntu/17.10/usr.bin.totem
144@@ -6,6 +6,7 @@
145 /usr/bin/totem {
146 #include <abstractions/audio>
147 #include <abstractions/dconf>
148+ #include <abstractions/ibus>
149 #include <abstractions/python>
150 #include <abstractions/totem>
151
152@@ -14,16 +15,22 @@
153
154 /usr/bin/totem r,
155 /usr/bin/totem-video-thumbnailer Pix,
156+ /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
157 /dev/sr* r,
158
159- # Allow read and write on anything in @{HOME}. Lenient, but
160+ # Quiet logs
161+ deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
162+
163+ # Allow read and write on almost anything in @{HOME}. Lenient, but
164 # private-files-strict is in effect.
165 #include <abstractions/private-files-strict>
166- owner @{HOME}/** rw,
167+ owner @{HOME}/[^.]* rw,
168+ owner @{HOME}/[^.]*/** rw,
169
170 owner /{,var/}run/user/*/dconf/user w,
171 owner /{,var/}run/user/*/at-spi2-*/ rw,
172 owner /{,var/}run/user/*/at-spi2-*/** rw,
173
174 /sys/devices/pci[0-9]*/**/config r,
175+ /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
176 }
177diff --git a/ubuntu/17.10/usr.bin.totem-previewers b/ubuntu/17.10/usr.bin.totem-previewers
178index a632034..c883ab9 100644
179--- a/ubuntu/17.10/usr.bin.totem-previewers
180+++ b/ubuntu/17.10/usr.bin.totem-previewers
181@@ -6,16 +6,17 @@
182 /usr/bin/totem-video-thumbnailer {
183 #include <abstractions/totem>
184
185- # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
186+ # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
187 # effect.
188 #include <abstractions/private-files-strict>
189- owner @{HOME}/** r,
190+ owner @{HOME}/[^.]* rw,
191+ owner @{HOME}/[^.]*/** rw,
192
193 # Not needed by nautilus, but maybe other applications
194 owner /**.[pP][nN][gG] w,
195 owner /**.[jJ][pP]{,[eE]}[gG] w,
196
197- /usr/bin/totem-video-thumbnailer r,
198+ /usr/bin/totem-video-thumbnailer rm,
199 }
200
201 /usr/bin/totem-audio-preview {
202@@ -25,5 +26,6 @@
203 # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
204 # effect.
205 #include <abstractions/private-files-strict>
206- owner @{HOME}/** r,
207+ owner @{HOME}/[^.]* rw,
208+ owner @{HOME}/[^.]*/** rw,
209 }

Subscribers

People subscribed via source and target branches