[apparmor] Updating the Pidgin profile

intrigeri intrigeri at debian.org
Sun Jan 19 14:25:15 UTC 2014 

Hi Simon,

we're getting close to merging our profiles, great!
See more comments and questions below.

I'm attaching my current profile. Feel free to have a look :)

Simon Deziel wrote (17 Jan 2014 19:44:34 GMT) :
> On 14-01-17 06:38 AM, intrigeri wrote:

>>>  owner @{HOME}/.{cache,config}/dconf/user rw,
>> 
>> What is the "cache" part for?

I believe you have missed this question. Or maybe your following
answer (about .config/indicators) did cover this one too?

>>>  owner @{HOME}/.config/indicators/ rw,
>>>  owner @{HOME}/.config/indicators/** rw,
>> 
>> What's this for? Perhaps it would be better suited for an existing (or
>> new) abstraction?

> This one is a real mystery to me. In fact, I even deny some of it in my
> local include:

>   # XXX: prevent blacklisting pidgin, needs investigation
>   audit deny
> @{HOME}/.config/indicators/messages/applications-blacklist/** w,

> IIRC from back when I added this, Pidgin would stop showing in mail/IM
> notification area as it would blacklist itself.

OK. I guess I won't include it until it's clarified what happens (on
Ubuntu, I suppose) without these two lines, then.

>>>  owner /tmp/orcexec.* mr,
>>>  owner @{HOME}/orcexec.* mr,
>> 
>> I had this too, but the profile works fine after removing it.
>> Maybe it's obsolete?

> That is needed for sound notifications. The "@{HOME}/orcexec.*" is
> needed when /tmp is mounted noexec.

OK, added.

>>>  owner @{PROC}/[0-9]*/auxv r,
>> 
>> My Pidgin does not seem to need this. Any idea if/why this is
>> really needed?

> I need it here.

Added, then.

>>>  /usr/bin/gconftool-2 rix,
>>>  /usr/bin/gnome-default-applications-properties ix,
>>>  /usr/bin/gnome-network-preferences ix,
>> 
>> I'm adding P, in case a profile is written for one of those some day.

> P and i are incompatible as far as I understand.

The documentation about it is very confusing, but Pix is valid.

>>>  /usr/share/locale-langpack/** rm,
>> 
>> Isn't the "r" permission granted by abstraction/base enough? I'm not
>> running Ubuntu, so I'm not using langpack's and cannot test myself.

Ping?

>>>  /usr/share/themes/**        r,
>> 
>> Covered by abstractions/gnome.

> True. It's weird that "/usr/share/themes/ r," was left out of the
> abstraction.

Right. For another day/person, though.

>> My last question is about the biggest hurdle I have here. How do you
>> handle the call to gnome-control-center from Preferences -> Browser ->
>> Configure Browser? I'm a bit reluctant to give Pidgin every credential
>> that gnome-control-center needs. Would it be a good use of
>> sanitized_helper (until g-c-c gets its own profile maybe someday)?

> I don't allow it here so it's a problem I wasn't even aware of.

I think I'm going to complete a profile that requires running GNOME
control center and network configuration by hand, to start with, then.
Done in the attached profile.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: usr.bin.pidgin
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140119/f24d3bac/attachment.ksh>

More information about the AppArmor mailing list