Page 11 of 12 FirstFirst ... 9101112 LastLast
Results 101 to 110 of 112

Thread: Share your AppArmor Profiles

  1. #101
    Join Date
    Aug 2007
    Beans
    35
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Share your AppArmor Profiles

    Just sharing what I added to get Gmail voice & video chat working on Firefox (as of 3.6.x):

    # Gmail voice & video
    /opt/google/talkplugin/** rm,
    /opt/google/talkplugin/GoogleTalkPlugin Uxr,
    /dev/nvidiactl rw,
    /dev/nvidia0 rw,
    /dev/zero m,
    /proc/interrupts r,

    Maybe slightly different if you have an ATI/AMD video card.

    I'm not quite sure why the plugin needs to access "/dev/zero" and "/proc/interrupts". Can someone enlighten me?

  2. #102
    Join Date
    Apr 2010
    Location
    Wales, UK
    Beans
    93
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Share your AppArmor Profiles

    Here's an archive of all of my profiles so far, I'm sure there are a lot of redundant lines in there. Mainly due to the fact that I've mixed and matched profiles and used apparmor-utils

    Feel free to pick them apart
    Attached Files Attached Files

  3. #103
    Join Date
    Mar 2011
    Beans
    1

    Re: Share your AppArmor Profiles

    Thank you very much @CandidMan

  4. #104
    Join Date
    Dec 2010
    Location
    Sweden
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    Hi.

    I recently finished my transmission

    profile for ubuntu 10.10 so I thought

    I would leave it here for all of

    you who want to confine transmission.

    Tested for Transmission 2.04 (11151)

    This profile gives you read and write access

    to the ~Desktop and ~Downloads directory.

    You should also be able to copy

    magnet links from your torrents to clipboard.

    Just put it in enforce mode and try it out.

    Enjoy!

    # DanneStrat's transmission profile for
    # Ubuntu 10.10

    #include <tunables/global>

    /usr/bin/transmission {
    #include <abstractions/base>


    audit deny /home/.ssh/ mrwkl,
    audit deny /home/.ssh/** mrwkl,
    audit deny /home/.gnome2_private/ mrwkl,
    audit deny /home/.gnome2_private/** mrwkl,



    /etc/fonts/** r,
    /etc/gai.conf r,
    /etc/gnome/defaults.list r,
    /etc/group r,
    /etc/host.conf r,
    /etc/hosts r,
    /etc/nsswitch.conf r,
    /etc/passwd r,
    /proc/*/fd/ r,
    /proc/*/mounts r,
    /tmp/orbit-*/linc* rw,
    /usr/bin/nautilus rix,
    /usr/lib/pango/1.6.0/modules/pango-basic-fc.so m,
    /usr/share/ r,
    /usr/share/** r,
    /var/cache/fontconfig/* r,
    /var/lib/defoma/fontconfig.d/fonts.conf r,
    /var/run/gdm/auth-for-*/database r,
    /var/run/resolvconf/resolv.conf r,

    /home/ r,
    /home/** r,
    /home/*/.cache/transmission/favicons/** rw,
    /home/*/.config/gtk-2.0/gtkfilechooser.ini rw,
    /home/*/.config/gtk-2.0/gtkfilechooser.ini* rw,
    /home/*/.config/transmission/blocklist.tmp rw,
    /home/*/.config/transmission/blocklists/* rw,
    /home/*/.config/transmission/dht.dat* rw,
    /home/*/.config/transmission/lock rwk,
    /home/*/.config/transmission/resume/** rw,
    /home/*/.config/transmission/settings.json rw,
    /home/*/.config/transmission/settings.json* rw,
    /home/*/.config/transmission/stats.json w,
    /home/*/.config/transmission/stats.json* rw,
    /home/*/.config/transmission/torrents/** rw,
    /home/*/.local/share/Trash/files/** w,
    /home/*/.local/share/Trash/info/** rw,
    /home/*/.recently-used* rw,
    /home/*/Downloads/** rw,
    /home/*/Desktop/** rw,

    }
    Last edited by DanneStrat; March 24th, 2011 at 09:55 PM.

  5. #105
    Join Date
    Dec 2010
    Location
    Sweden
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    Here is my profile for qbittorrent (tested with v. 2.7.1 on ubuntu 10.10)

    # DanneStrat's qbittorrent profile for
    # ubuntu 10.10


    #include <tunables/global>

    /usr/bin/qbittorrent {
    #include <abstractions/base>



    /bin/dash r,
    /etc/fonts/** r,
    /etc/gai.conf r,
    /etc/gnome-vfs-2.0/modules/ r,
    /etc/gnome-vfs-2.0/modules/** r,
    /etc/gnome/defaults.list r,
    /etc/group r,
    /etc/host.conf r,
    /etc/hosts r,
    /etc/nsswitch.conf r,
    /etc/passwd r,
    /etc/python2.6/** r,
    /etc/xdg/Trolltech.conf rk,
    /proc/*/fd/ r,
    /proc/*/mounts r,
    /tmp/orbit-*/linc* rw,
    /tmp/qtsingleapp* rwk,
    /usr/bin/gnome-open rix,
    /usr/bin/nautilus rix,
    /usr/bin/python2.6 rix,
    /usr/bin/xdg-open rix,
    /usr/lib/pango/1.6.0/modules/pango-basic-fc.so m,
    /usr/lib/python2.6/lib-dynload/_json.so m,
    /usr/local/lib/python2.6/dist-packages/ r,
    /usr/local/lib/python2.6/dist-packages/** r,
    /usr/share/applications/defaults.list r,
    /usr/share/applications/mimeinfo.cache r,
    /usr/share/applications/nautilus.desktop r,
    /usr/share/applications/nautilus-folder-handler.desktop r,
    /usr/share/fonts/** r,
    /usr/share/GeoIP/** r,
    /usr/share/gnome/applications/mimeinfo.cache r,
    /usr/share/gvfs/remote-volume-monitors/ r,
    /usr/share/gvfs/remote-volume-monitors/** r,
    /usr/share/icons/ r,
    /usr/share/icons/** rk,
    /usr/share/mime/mime.cache r,
    /usr/share/pixmaps/ r,
    /usr/share/pixmaps/** r,
    /usr/share/pyshared/** r,
    /usr/share/qt4/** r,
    /usr/share/themes/** r,
    /usr/share/X11/** r,
    /var/cache/fontconfig/** r,
    /var/lib/defoma/fontconfig.d/fonts.conf r,
    /var/run/gdm/auth-for-** r,
    /var/run/resolvconf/resolv.conf r,

    /home/ r,
    /home/** r,
    /home/*/.cache/qBittorrent/** rw,
    /home/*/.config/gtk-2.0/gtkfilechooser.ini rw,
    /home/*/.config/gtk-2.0/gtkfilechooser.ini* rw,
    /home/*/.config/qBittorrent/** rwk,
    /home/*/.config/Trolltech.conf rk,
    /home/*/.config/user-dirs.dirs r,
    /home/*/.gtk-bookmarks r,
    /home/*/.local/share/data/qBittorrent/** rw,
    /home/*/.recently-used.xbel r,
    /home/*/.thumbnails/** r,
    /home/*/Desktop/** rw,
    /home/*/Downloads/** rw,


    }

  6. #106
    Join Date
    Sep 2009
    Location
    Bangkok, Thailand
    Beans
    228
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Share your AppArmor Profiles

    Quote Originally Posted by BkkBonanza View Post
    @Bodhi,

    I tried out a couple profiles from your site's repo. Wireshark and Skype. I think Wireshark worked well except a minor change for usb devices ("/dev/usbmon? r," if you even use it for watching usb traffic).

    But Skype has changed a fair bit since that one was created. This nasty program wants to get to all sorts of system info and you can't enforce against it without the program not starting. I ended up enabling the things it wanted.

    The one thing I wanted to ask about is why it wants "m" access to the /etc/passwd file. I know the passwords aren't stored there now but I'm just curious what use it has for looking at the "accounts list" and related info.

    Along with denying access to the /var/lib/dbus/machine-id file, I'd much prefer it not look at those files. But that doesn't appear to be an usable option.

    Anyway, I updated my own copy of the skype profile to work with 10.4 and Skype 2.1 and if anyone wants it I could post it here.
    That sounds interesting. It's a shame there isn't an open-source skype. But I'm stuck with it...I need it to make lots of international calls to landlines etc...

    I'd like to see your skype profile if you don't mind posting it. I've just installed Natty. Does a lot need to be changed in apparmor profiles when upgrading Ubuntu?

  7. #107
    Join Date
    Dec 2010
    Location
    Sweden
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    I recently made a midori profile for Lucid.(tested with midori 0.3.6)

    Here it is:

    # DanneStrat's midori profile for
    # Ubuntu 10.04

    #include <tunables/global>

    /usr/bin/midori {
    #include <abstractions/base>
    #include <abstractions/nameservice>
    #include <abstractions/ubuntu-konsole>

    capability sys_ptrace,


    /bin/dash rix,
    /bin/grep rix,
    /bin/ps rix,
    /dev/shm/ r,
    /dev/shm/pulse-shm* rw,
    /etc/java-6-openjdk/** r,
    /etc/pulse/client.conf r,
    /etc/ssl/certs/ca-certificates.crt r,
    /etc/xdg/midori/extensions/libadblock.so/config r,
    /etc/xdg/midori/search r,
    /proc/ r,
    /proc/*/cmdline r,
    /proc/*/fd/ r,
    /proc/*/stat r,
    /proc/*/status r,
    /proc/sys/kernel/pid_max r,
    /proc/tty/drivers r,
    /proc/uptime r,
    /proc/version r,
    /sys/devices/system/cpu/ r,
    /usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so m,
    /usr/lib/gtk-2.0/2.10.0/loaders/svg_loader.so m,
    /usr/lib/jvm/java-6-openjdk/jre/bin/java rix,
    /usr/lib/jvm/java-6-openjdk/jre/lib/i386/IcedTeaPlugin.so m,
    /usr/lib/pango/1.6.0/modules/pango-*.so m,
    /usr/share/alsa/** r,
    /usr/share/applications/ r,
    /usr/share/applications/** r,
    /usr/share/enchant/* r,
    /usr/share/gvfs/remote-volume-monitors/ r,
    /usr/share/gvfs/remote-volume-monitors/** r,
    /usr/share/hunspell/** r,
    /usr/share/javascript/** r,
    /usr/share/libthai/** r,
    /usr/share/midori/** r,
    /usr/share/nvidia-current/** r,
    /usr/share/themes/** r,
    /usr/share/webkit-1.0/** r,
    /var/lib/dbus/machine-id r,

    /home/ r,
    /home/** r,
    /home/*/.cache/midori/** rw,
    /home/*/.config/enchant/*.dic rwk,
    /home/*/.config/enchant/*.exc rwk,
    /home/*/.config/gtk-2.0/gtkfilechooser.ini rw,
    /home/*/.config/gtk-2.0/gtkfilechooser.ini** rw,
    /home/*/.config/midori/** rwk,
    /home/*/.local/share/webkit/icondatabase/** rwk,
    /home/*/.macromedia/Flash_Player/#SharedObjects/*/** rw,
    /home/*/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/** rw,
    /home/*/.pulse-cookie rwk,
    /home/*/Desktop/** rw,
    /home/*/Downloads/** rw,


    }
    With this profile loaded you can only download files to your "Desktop" and

    "downloads" directory. Also you will not be able to open files with

    external applications directly.

  8. #108
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    455
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: Share your AppArmor Profiles

    Having problems setting up apparmor profile for firefox. I used sudo aa-genprof firefox. I start the process. Open firefox do all the things I want. Then close firefox. Press S for Scan in the terminal. Allow what I want. Then Save and Finnish. Reload profiles and enforce firefox. Firefox won't open unless I stop apparmor or sudo genprof again. Not sure what I am doing wrong.

  9. #109
    Join Date
    Dec 2010
    Location
    Sweden
    Beans
    Hidden!

    Re: Share your AppArmor Profiles

    Quote Originally Posted by BigCityCat View Post
    Having problems setting up apparmor profile for firefox. I used sudo aa-genprof firefox. I start the process. Open firefox do all the things I want. Then close firefox. Press S for Scan in the terminal. Allow what I want. Then Save and Finnish. Reload profiles and enforce firefox. Firefox won't open unless I stop apparmor or sudo genprof again. Not sure what I am doing wrong.
    I can try to help you with this, but could you make a separate thread and post the link here? This way we keep this profile-share thread clean.
    I have a suscription on this thread btw, so I will notice when new stuff gets posted.
    Last edited by DanneStrat; November 28th, 2011 at 04:57 AM.

  10. #110
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Share your AppArmor Profiles

    Quote Originally Posted by BigCityCat View Post
    Having problems setting up apparmor profile for firefox. I used sudo aa-genprof firefox. I start the process. Open firefox do all the things I want. Then close firefox. Press S for Scan in the terminal. Allow what I want. Then Save and Finnish. Reload profiles and enforce firefox. Firefox won't open unless I stop apparmor or sudo genprof again. Not sure what I am doing wrong.
    1. Firefox is a large and complex application, and thus it is not a good one to start with.

    2. There is already an apparmor profile for firefox, why not use or modify that one ?

    3. To debug firefox you would need to post the errors you are getting in your logs.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Page 11 of 12 FirstFirst ... 9101112 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •