[apparmor] Updating the Pidgin profile

intrigeri intrigeri at debian.org
Fri Jan 17 11:38:23 UTC 2014 

Hi Simon,

Simon Deziel wrote (15 Jan 2014 01:00:53 GMT) :
> I don't know if that could be useful to you but I've been using a
> customized profile on Ubuntu 12.04 available at
> https://github.com/simondeziel/aa-profiles/blob/master/12.04/usr.bin.pidgin

I have some questions and comments about it.

>  #include <abstractions/aspell>

I have instead included abstractions/enchant, that adds support for
aspell, myspell, etc.; this way, the spell checker should work
regardless of what backend Enchant is using. This also allowed me to
drop all this:

  owner @{HOME}/.config/enchant/ rw,
  owner @{HOME}/.config/enchant/* rwk,
  /usr/share/enchant/enchant.ordering r,
  /usr/share/myspell/dicts/ r,
  /usr/share/myspell/dicts/** r,
  /usr/share/hunspell/        r,
  /usr/share/hunspell/** r,

Makes sense?

>  #include <abstractions/consoles>

I have dropped this from my profile and I see no forbidden action
taking place. Any idea what this is useful for?

>  #include <abstractions/ubuntu-helpers>

What is this useful for? I see no use of sanitized_helper in
this profile.

> owner @{HOME}/ r,
> owner @{HOME}/.thumbnails/normal/*.png r,

What is this useful for? My Pidgin seems to run fine without this.

>  owner @{HOME}/.local/share/icons/ r,
>  owner @{HOME}/.local/share/mime/* r,

Covered by abstractions/freedesktop.org.

>  owner @{HOME}/.{cache,config}/dconf/user rw,

What is the "cache" part for?

>  owner @{HOME}/.config/indicators/ rw,
>  owner @{HOME}/.config/indicators/** rw,

What's this for? Perhaps it would be better suited for an existing (or
new) abstraction?

>  owner /tmp/orbit-*/* w,
>  owner /tmp/orcexec.* mr,
>  owner @{HOME}/orcexec.* mr,

I had this too, but the profile works fine after removing it.
Maybe it's obsolete?

>  owner @{PROC}/[0-9]*/auxv r,

My Pidgin does not seem to need this. Any idea if/why this is
really needed?

>  /usr/bin/gconftool-2 rix,
>  /usr/bin/gnome-default-applications-properties ix,
>  /usr/bin/gnome-network-preferences ix,

I'm adding P, in case a profile is written for one of those some day.

>  /usr/lib/ r,

My Pidgin does not seem to need this. Is it really needed?

>  /usr/lib/libvisual-*/**.so rm,

I'm adding multiarch support in there.

>  /usr/share/locale-langpack/** rm,

Isn't the "r" permission granted by abstraction/base enough? I'm not
running Ubuntu, so I'm not using langpack's and cannot test myself.

>  /usr/share/themes/**        r,

Covered by abstractions/gnome.

>  /usr/share/glib-2.0/schemas/ r,
>  /usr/share/glib-2.0/schemas/** r,

This seems to be enough here:

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

Any reason to open it more?

My last question is about the biggest hurdle I have here. How do you
handle the call to gnome-control-center from Preferences -> Browser ->
Configure Browser? I'm a bit reluctant to give Pidgin every credential
that gnome-control-center needs. Would it be a good use of
sanitized_helper (until g-c-c gets its own profile maybe someday)?

That's all for today :)

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

More information about the AppArmor mailing list