[apparmor] Updating the Pidgin profile

Simon Deziel simon.deziel at gmail.com
Wed Jan 15 01:00:53 UTC 2014


On 14-01-14 12:16 PM, intrigeri wrote:
> Hi,
> 
> confining Pidgin is a top-priority for Tails, so I've been looking
> into it to see what profile I'll integrate into the
> apparmor-profiles-extra Debian package.
> 
> The Pidgin profile in lp:~apparmor-dev/apparmor-profiles/master hasn't
> changed since 11.04. I somewhat doubt that anyone has even tried using
> it with a recent Pidgin.
> 
> Since about two years, I've been locally maintaining and using another
> Pidgin profile. It may be too liberal in various aspects (and I'm
> happy to hear about it, reviews are more than welcome!), but at least
> it is up-to-date and works fine on current Debian unstable.
> I'm attaching it in its current state.
> 
> The diff is quite large (better use --ignore-space-change, as the
> profile on Launchpad uses tab indentation, contrary to all other
> profiles I've seen).
> 
> What would be the next steps towards merging my changes?
> 
> Should I split my changes into incremental commits? Does it seem crazy
> to un-bitrot the profile all at once, after I do the changes that
> a serious review will no doubt ask for?
> 
> Cheers,
> 
> 
> 

I'm looking forward to have a refreshed profile for Pidgin, thanks for
bringing this here.

I'll add some comments inline.

> # vim:syntax=apparmor
> 
> #include <tunables/global>
> 
> /usr/bin/pidgin {
>   #include <abstractions/audio>
>   #include <abstractions/aspell>
>   #include <abstractions/base>
>   #include <abstractions/bash>
>   #include <abstractions/consoles>
>   #include <abstractions/dbus>
>   #include <abstractions/dbus-session>
>   #include <abstractions/fonts>
>   #include <abstractions/freedesktop.org>
>   #include <abstractions/gnome>
>   #include <abstractions/launchpad-integration>
>   #include <abstractions/nameservice>
>   #include <abstractions/private-files-strict>
>   #include <abstractions/ubuntu-browsers>
>   #include <abstractions/ubuntu-console-browsers>
>   #include <abstractions/user-download>
>   #include <abstractions/user-tmp>
>   #include <abstractions/ibus>
>   #include <abstractions/X>

As Seth noted already, some abstractions are overlapping.

>   deny capability sys_ptrace,
> 
>   deny @{HOME}/.bash* rw,
>   deny @{HOME}/.cshrc rw,
>   deny @{HOME}/.profile rw,
>   deny @{HOME}/.zshrc rw,

Those 4 denies are covered by abstractions/private-files-strict

>   owner @{HOME}/.cache/dconf/user rw,
>   owner @{HOME}/.config/dconf/user r,
>   owner @{HOME}/.config/enchant/ rw,
>   owner @{HOME}/.config/enchant/* rwk,
>   owner @{HOME}/.local/share/icons/ r,
>   owner @{HOME}/.local/share/mime/* r,
>   owner @{HOME}/.gnome2/nautilus-sendto/** rw,
>   owner @{HOME}/.gstreamer*/ rw,
>   owner @{HOME}/.gstreamer*/** rw,
>   owner @{HOME}/.pulse/ rw,
>   owner @{HOME}/.pulse/** rw,
>   owner @{HOME}/.pulse-cookie rwk,

The pulse related rules are covered by abstractions/audio

>   owner @{HOME}/.purple/ rw,
>   owner @{HOME}/.purple/** rwk,
> 
>   /bin/dash rix,
> 
>   /{dev,run}/shm/ r,
>   /{dev,run}/shm/* rw,
> 
>   /etc/ r,
>   /etc/pulse/client.conf r,
>   /etc/ssl/certs/ r,
>   /etc/ssl/certs/** r,
>   /etc/ssl/certs/ssl-cert-snakeoil.pem r,

Those SSL related rules are in abstractions/ssl_certs

>   owner /tmp/orbit-*/* w,
>   owner /tmp/pulse-*/* w,

Same thing about /tmp/pulse-*/* being in abstraction/audio

> 
>   /usr/bin/gconftool-2 rix,
>   /usr/bin/gnome-default-applications-properties ix,
>   /usr/bin/gnome-network-preferences ix,
>   /usr/bin/gnome-open rmix,
>   /usr/bin/gsettings rix,
>   /usr/bin/pidgin r,
>   /usr/bin/xdg-open rmix,
>   /bin/which rix,
>   /usr/bin/gvfs-open rmix,
> 
>   /usr/share/glib-2.0/schemas/gschemas.compiled r,
> 
>   /usr/lib/ r,
>   /usr/lib/frei0r-1/*.so rm,
>   /usr/lib/libvisual-*/**.so rm,
>   /usr/lib/pidgin/*.so rm,
>   /usr/lib/purple*/*.so rm,
> 
>   /usr/share/ca-certificates/*/** r,

In abstractions/ssl_certs too

>   /usr/share/enchant/enchant.ordering r,
>   /usr/share/locale-langpack/** rm,
>   /usr/share/purple/ca-certs/ r,
>   /usr/share/purple/ca-certs/** r,
>   /usr/share/myspell/dicts/ r,
>   /usr/share/myspell/dicts/** r,
>   /usr/share/tcltk/** r,
> 
>   /usr/share/themes/ r,
>   /usr/share/themes/** r,
> 
>   /usr/share/hunspell/ r,
>   /usr/share/hunspell/** r,
> 
>   deny @{PROC}/** r,
> 
>   # Site-specific additions and overrides. See local/README for details.
>   #include <local/usr.bin.pidgin>
> }

I don't know if that could be useful to you but I've been using a
customized profile on Ubuntu 12.04 available at
https://github.com/simondeziel/aa-profiles/blob/master/12.04/usr.bin.pidgin

Thanks,
Simon



More information about the AppArmor mailing list