[apparmor] Updating the Pidgin profile

Simon Deziel simon.deziel at gmail.com
Fri Jan 17 19:44:34 UTC 2014 

On 14-01-17 06:38 AM, intrigeri wrote:
> Hi Simon,
> 
> Simon Deziel wrote (15 Jan 2014 01:00:53 GMT) :
>> I don't know if that could be useful to you but I've been using a
>> customized profile on Ubuntu 12.04 available at
>> https://github.com/simondeziel/aa-profiles/blob/master/12.04/usr.bin.pidgin
> 
> I have some questions and comments about it.
> 
>>  #include <abstractions/aspell>
> 
> I have instead included abstractions/enchant, that adds support for
> aspell, myspell, etc.; this way, the spell checker should work
> regardless of what backend Enchant is using. This also allowed me to
> drop all this:
> 
>   owner @{HOME}/.config/enchant/ rw,
>   owner @{HOME}/.config/enchant/* rwk,
>   /usr/share/enchant/enchant.ordering r,
>   /usr/share/myspell/dicts/ r,
>   /usr/share/myspell/dicts/** r,
>   /usr/share/hunspell/        r,
>   /usr/share/hunspell/** r,
> 
> Makes sense?

Absolutely. After looking at abstractions/enchant I noticed the aspell
part includes abstractions/aspell and some other aspell related files. I
wonder why those aren't in  abstractions/aspell but that's a problem for
another day/person :)

>>  #include <abstractions/consoles>
> 
> I have dropped this from my profile and I see no forbidden action
> taking place. Any idea what this is useful for?

No idea as removing it didn't cause any problem on my side either. This
is from the original 11.04 profile.

>>  #include <abstractions/ubuntu-helpers>
> 
> What is this useful for? I see no use of sanitized_helper in
> this profile.

Indeed, I see not use of it either. It's also from the 11.04 profile

>> owner @{HOME}/ r,
>> owner @{HOME}/.thumbnails/normal/*.png r,
> 
> What is this useful for? My Pidgin seems to run fine without this.

My first bet was for avatars but apparently not as I can remove them too

>>  owner @{HOME}/.local/share/icons/ r,
>>  owner @{HOME}/.local/share/mime/* r,
> 
> Covered by abstractions/freedesktop.org.

Removed in my profile, thx.

>>  owner @{HOME}/.{cache,config}/dconf/user rw,
> 
> What is the "cache" part for?
> 
>>  owner @{HOME}/.config/indicators/ rw,
>>  owner @{HOME}/.config/indicators/** rw,
> 
> What's this for? Perhaps it would be better suited for an existing (or
> new) abstraction?

This one is a real mystery to me. In fact, I even deny some of it in my
local include:

  # XXX: prevent blacklisting pidgin, needs investigation
  audit deny
@{HOME}/.config/indicators/messages/applications-blacklist/** w,

IIRC from back when I added this, Pidgin would stop showing in mail/IM
notification area as it would blacklist itself.

>>  owner /tmp/orbit-*/* w,

This orbit one seems unneeded here.

>>  owner /tmp/orcexec.* mr,
>>  owner @{HOME}/orcexec.* mr,
> 
> I had this too, but the profile works fine after removing it.
> Maybe it's obsolete?

That is needed for sound notifications. The "@{HOME}/orcexec.*" is
needed when /tmp is mounted noexec.

>>  owner @{PROC}/[0-9]*/auxv r,
> 
> My Pidgin does not seem to need this. Any idea if/why this is
> really needed?

I need it here.

>>  /usr/bin/gconftool-2 rix,
>>  /usr/bin/gnome-default-applications-properties ix,
>>  /usr/bin/gnome-network-preferences ix,
> 
> I'm adding P, in case a profile is written for one of those some day.

P and i are incompatible as far as I understand.

>>  /usr/lib/ r,
> 
> My Pidgin does not seem to need this. Is it really needed?
> 
>>  /usr/lib/libvisual-*/**.so rm,
> 
> I'm adding multiarch support in there.

Good point.

>>  /usr/share/locale-langpack/** rm,
> 
> Isn't the "r" permission granted by abstraction/base enough? I'm not
> running Ubuntu, so I'm not using langpack's and cannot test myself.
> 
>>  /usr/share/themes/**        r,
> 
> Covered by abstractions/gnome.

True. It's weird that "/usr/share/themes/ r," was left out of the
abstraction.

>>  /usr/share/glib-2.0/schemas/ r,
>>  /usr/share/glib-2.0/schemas/** r,
> 
> This seems to be enough here:
> 
>   /usr/share/glib-2.0/schemas/gschemas.compiled r,
> 
> Any reason to open it more?

That sounds like a reasonable thing to do but I'm not familiar with this.

> My last question is about the biggest hurdle I have here. How do you
> handle the call to gnome-control-center from Preferences -> Browser ->
> Configure Browser? I'm a bit reluctant to give Pidgin every credential
> that gnome-control-center needs. Would it be a good use of
> sanitized_helper (until g-c-c gets its own profile maybe someday)?

I don't allow it here so it's a problem I wasn't even aware of.

> That's all for today :)
> 
> Cheers,


Thanks for the comments. I updated my profile on github.

Have a good one!

Simon

More information about the AppArmor mailing list