paulbsd-salt/states/apparmor/templates/usr.bin.skype.j2

78 lines
2.3 KiB
Django/Jinja

#include <tunables/global>
/usr/bin/skype {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/kde>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/ssl_certs>
#include <abstractions/user-tmp>
#include <abstractions/X>
@{PROC}/sys/kernel/{ostype,osrelease} r,
@{PROC}/@{pid}/net/arp r,
owner @{PROC}/@{pid}/auxv r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/[0-9]*/stat r,
/sys/devices/**/power_supply/**/online r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,
/dev/ r,
owner /{dev,run}/shm/pulse-shm* m,
/dev/snd/* m,
/dev/video* mrw,
/var/cache/libx11/compose/* r,
# should this be in a separate KDE abstraction?
owner @{HOME}/.kde{,4}/share/config/kioslaverc r,
/usr/bin/skype mr,
/etc/xdg/sni-qt.conf rk,
/etc/xdg/Trolltech.conf rk,
/usr/share/skype/** kr,
/usr/share/skype/**/*.qm mr,
/usr/share/skype/sounds/*.wav kr,
/usr/lib{,32}/pango/** mr,
/usr/lib{,32}/libv4l/* mr,
# For opening links in the browser (still requires explicit access to execute
# the browser)
/usr/bin/xdg-open ixr,
owner @{HOME}/.Skype/ rw,
owner @{HOME}/.Skype/** krw,
owner @{HOME}/.config/ r,
owner @{HOME}/.config/*/ r,
owner @{HOME}/.config/Skype/Skype.conf rw,
owner @{HOME}/.config/Trolltech.conf kr,
# Skype traverses the .mozilla directory and needs access to prefs.js
deny owner @{HOME}/.mozilla/ r,
deny owner @{HOME}/.mozilla/**/ r,
deny owner @{HOME}/.mozilla/*/*/prefs.js r,
# Skype also looks around in these directories
/{,usr/,usr/local/}lib{,32}/ r,
# Recent skype builds have an executable stack, so it tries to mmap certain
# files. Let's deny them for now.
deny /etc/passwd m,
deny /etc/group m,
deny /usr/share/fonts/** m,
# Silence a few non-needed writes
deny /var/cache/fontconfig/ w,
deny owner @{HOME}/.fontconfig/ w,
deny owner @{HOME}/.fontconfig/*.cache-*.TMP* w,
}