Толстоевский» Blog Archive » Skype for Linux Alpha apparmor profile

Skype for Linux Alpha apparmor profile

Решил запилить на основе профиля для старого скайпа — дабы новый тоже не борзел со шпионскими функциями. Не знаю, в какой степени это поможет, критика приветствуется.

# Modifications by Tolstoevsky # based on legacy Skype profile by # - Андрей Калинин, LP: #226624 # - Jamie Strandboge and Ivan Frederiks, LP: #933440 #include <tunables/global> /usr/bin/skypeforlinux flags=(complain) { #include <abstractions/audio> #include <abstractions/base> #include <abstractions/dbus-session> #include <abstractions/fonts> #include <abstractions/freedesktop.org> #include <abstractions/gnome> #include <abstractions/ibus> #include <abstractions/kde> #include <abstractions/nameservice> #include <abstractions/nvidia> #include <abstractions/ssl_certs> #include <abstractions/user-tmp> #include <abstractions/X>

@{PROC}/sys/kernel/{ostype,osrelease} r,
@{PROC}/@{pid}/net/arp r,
@{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/auxv r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/[0-9]*/stat r,

/sys/devices/**/power_supply/**/online r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,

/dev/ r,
owner /{dev,run}/shm/pulse-shm* m,
/dev/snd/* m,
/dev/video* mrw,

/var/cache/libx11/compose/* r,

# should this be in a separate KDE abstraction?
owner @{HOME}/.kde{,4}/share/config/kioslaverc r,

/usr/bin/skypeforlinux mr,
/etc/xdg/sni-qt.conf rk,
/etc/xdg/Trolltech.conf rk,
/usr/share/skypeforlinux/** kr,
/usr/share/skypeforlinux/**/*.qm mr,
/usr/share/skypeforlinux/sounds/*.wav kr,
/usr/lib/@{multiarch}/pango/** mr,

# For opening links in the browser (still requires explicit access to execute
# the browser)
/usr/bin/xdg-open ixr,

owner @{HOME}/.config/ r,
owner @{HOME}/.config/*/ r,
owner @{HOME}/.config/skypeforlinux/* rw,
owner @{HOME}/.config/Trolltech.conf kr,

# Skype traverses the .mozilla directory and needs access to prefs.js
owner @{HOME}/.mozilla/ r,
owner @{HOME}/.mozilla/**/ r,
owner @{HOME}/.mozilla/*/*/prefs.js r,

# Skype also looks around in these directories

/{,usr/,usr/local/}lib/ r,

# Recent skype builds have an executable stack, so it tries to mmap certain
# files. Let’s deny them for now.
deny /etc/passwd m,
deny /etc/group m,
deny /usr/share/fonts/** m,

# Silence a few non-needed writes
deny /var/cache/fontconfig/ w,
deny owner @{HOME}/.fontconfig/ w,
deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w,
}

This entry was posted on Вторник, 20 декабря, 2016 at 17:00 and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

Толстоевский

Skype for Linux Alpha apparmor profile

Поиск

Дополнительные ссылки

Свежие записи

Свежие комментарии

Архивы

Мета

Рубрики