[apparmor] [PATCH] add irssi profile to apparmor-profiles for Ubuntu 11.04 and 11.10
Steve Beattie
steve at nxnw.org
Fri Jul 15 22:25:52 UTC 2011
On Fri, Jul 15, 2011 at 04:55:37PM -0500, Jamie Strandboge wrote:
> Attached is a patch to add an irssi profile to the apparmor-profiles
> repo. Profiles are for Ubuntu 11.04 and 11.10. This profile is pretty
> strict, but allows for:
>
> - use within screen
> - /uptime
> - /calc
> - access to config files in @{HOME}/.irssi/
> - access to log files in @{HOME}/irclogs/
> - use of fnotify (http://www.leemhuis.info/files/fnotify)
>
> Couple of considerations:
> - Note that while it allows read of @{HOME}/.irssi/scripts, it does not
> allow writes to this directory.
> - allows ix for:
> - dash
> - screen (for screen_away)
> - gawk, expr, date (for /uptime)
> - which and bc (for /calc)
> - writes are kept to a minimum, specifically
I found, with a stock irssi install on Ubuntu 10.10, that I needed to add
the following to your 11.04 policy:
/usr/share/irssi/themes/*.theme r,
/usr/share/irssi/help/* r,
I also note that existence of /usr/share/irssi/scripts/, but my irssi
fu is not knowledgable enough to know how those are used.
> === added file 'ubuntu/11.04/usr.bin.irssi'
> --- ubuntu/11.04/usr.bin.irssi 1970-01-01 00:00:00 +0000
> +++ ubuntu/11.04/usr.bin.irssi 2011-07-15 20:56:01 +0000
> @@ -0,0 +1,45 @@
> +# Author: Jamie Strandboge
> +# For use with irssi within screen
> +#include <tunables/global>
> +
> +/usr/bin/irssi {
> + #include <abstractions/base>
> + #include <abstractions/nameservice>
> + #include <abstractions/perl>
> + #include <abstractions/ssl_certs>
> +
> + /usr/share/ca-certificates/** r,
> + @{PROC}/uptime r,
> + /bin/dash ix,
> +
> + # for screen_away
> + #include <abstractions/wutmp>
> + /usr/bin/screen ix,
> + owner /var/run/screen/** r,
> + owner /var/run/screen/S-[a-zA-Z0-9]*/[0-9]* w,
> + @{PROC}/[0-9]*/stat r,
> +
> + # for /uptime
> + /usr/bin/gawk ix,
> + /usr/bin/expr ix,
> + /bin/date ix,
> +
> + # for /calc
> + /usr/bin/bc ix,
> + /bin/which ixr,
> +
> + # config files, etc
> + owner @{HOME}/.irssi/ r,
> + owner @{HOME}/.irssi/** r,
> + owner @{HOME}/.irssi/away.log wk,
> + owner @{HOME}/.irssi/config{,.autosave} wk,
> + owner @{HOME}/.irssi/*.theme wk,
> +
> + # http://www.irssi.org/documentation/startup states that ~/irclogs is the
> + # default location for logs.
> + owner @{HOME}/irclogs/ r,
> + owner @{HOME}/irclogs/** rwk,
> +
> + # for fnotify
> + owner @{HOME}/.irssi/fnotify rwk,
> +}
>
> === added file 'ubuntu/11.10/usr.bin.irssi'
> --- ubuntu/11.10/usr.bin.irssi 1970-01-01 00:00:00 +0000
> +++ ubuntu/11.10/usr.bin.irssi 2011-07-15 21:52:34 +0000
> @@ -0,0 +1,45 @@
> +# Author: Jamie Strandboge
> +# For use with irssi within screen
> +#include <tunables/global>
> +
> +/usr/bin/irssi {
> + #include <abstractions/base>
> + #include <abstractions/nameservice>
> + #include <abstractions/perl>
> + #include <abstractions/ssl_certs>
> +
> + /usr/share/ca-certificates/** r,
> + @{PROC}/uptime r,
> + /bin/dash ix,
> +
> + # for screen_away
> + #include <abstractions/wutmp>
> + /usr/bin/screen ix,
> + owner /{,var/}run/screen/** r,
> + owner /{,var/}run/screen/S-[a-zA-Z0-9]*/[0-9]* w,
> + @{PROC}/[0-9]*/stat r,
> +
> + # for /uptime
> + /usr/bin/gawk ix,
> + /usr/bin/expr ix,
> + /bin/date ix,
> +
> + # for /calc
> + /usr/bin/bc ix,
> + /bin/which ixr,
> +
> + # config files, etc
> + owner @{HOME}/.irssi/ r,
> + owner @{HOME}/.irssi/** r,
> + owner @{HOME}/.irssi/away.log wk,
> + owner @{HOME}/.irssi/config{,.autosave} wk,
> + owner @{HOME}/.irssi/*.theme wk,
> +
> + # http://www.irssi.org/documentation/startup states that ~/irclogs is the
> + # default location for logs.
> + owner @{HOME}/irclogs/ r,
> + owner @{HOME}/irclogs/** rwk,
> +
> + # for fnotify
> + owner @{HOME}/.irssi/fnotify rwk,
> +}
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110715/50b4a8b1/attachment.pgp>
More information about the AppArmor
mailing list