# vim:syntax=apparmor
#include <tunables/global>
# Specified profile variables
@{APP_ID_DBUS}="webbrowser_2dapp"
@{APP_PKGNAME_DBUS}="webbrowser_2dapp"
@{APP_PKGNAME}="webbrowser-app"
profile "webbrowser-app" "/usr/bin/webbrowser-app" (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>
# Apps fail to start when linked against newer curl/gnutls if we don't allow
# this. (LP: #1350152)
#include <abstractions/openssl>
# Mir-specific stuff
#include <abstractions/mir>
# Needed by native GL applications on Mir
owner /{,var/}run/user/*/mir_socket rw,
# Hardware-specific accesses
#include "/usr/share/apparmor/hardware/graphics.d"
#
# IPC rules common for all apps
#
# Allow connecting to session bus and where to connect to services
#include <abstractions/dbus-session-strict>
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
# communications with any system services is mediated elsewhere). This does
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
#include <abstractions/dbus-strict>
# Unity shell
dbus (send)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator,label=unconfined),
dbus (receive)
bus=session
path="/BottomBarVisibilityCommunicator"
interface="com.canonical.Shell.BottomBarVisibilityCommunicator"
peer=(label=unconfined),
# Unity HUD
dbus (send)
bus=session
path="/com/canonical/hud"
interface="org.freedesktop.DBus.Properties"
member="GetAll"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="RegisterApplication"
peer=(label=unconfined),
dbus (receive, send)
bus=session
path=/com/canonical/hud/applications/@{APP_ID_DBUS}*
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Start"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="End"
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/hud/publisher*"
interface="org.gtk.Menus"
member="Changed"
peer=(name=org.freedesktop.DBus,label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member={DescribeAll,Activate}
peer=(label=unconfined),
dbus (send)
bus=session
path="/com/canonical/unity/actions"
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus,label=unconfined),
dbus (receive)
bus=session
path="/context_*"
interface=org.gtk.Actions
member="DescribeAll"
peer=(label=unconfined),
dbus (receive)
bus=session
path="/com/canonical/hud"
interface="com.canonical.hud"
member="UpdatedQuery"
peer=(label=unconfined),
dbus (receive)
bus=session
interface="com.canonical.hud.Awareness"
member="CheckAwareness"
peer=(label=unconfined),
# on screen keyboard (OSK)
dbus (send)
bus=session
path="/org/maliit/server/address"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.maliit.server,label=unconfined),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/maliit-server/dbus-*"),
# clipboard (LP: #1371170)
dbus (receive, send)
bus=session
path="/com/canonical/QtMir/Clipboard"
interface="com.canonical.QtMir.Clipboard"
peer=(label=unconfined),
dbus (receive, send)
bus=session
path="/com/canonical/QtMir/Clipboard"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
peer=(label=unconfined),
# usensors
dbus (send)
bus=session
path=/com/canonical/usensord/haptic
interface=com.canonical.usensord.haptic
peer=(label=unconfined),
# URL dispatcher. All apps can call this since:
# a) the dispatched application is launched out of process and not
# controllable except via the specified URL
# b) the list of url types is strictly controlled
# c) the dispatched application will launch in the foreground over the
# confined app
dbus (send)
bus=session
path="/com/canonical/URLDispatcher"
interface="com.canonical.URLDispatcher"
member="DispatchURL"
peer=(label=unconfined),
# This is needed when the app is already running and needs to be passed in
# a URL to open. This is most often used with content-hub providers and
# url-dispatcher, but is actually supported by Qt generally (though because
# we don't allow the send a malicious app can't send this to another app).
dbus (receive)
bus=session
path=/@{APP_ID_DBUS}
interface="org.freedesktop.Application"
member="Open"
peer=(label=unconfined),
# This is needed for apps to interact with the Launcher (eg, for the counter)
dbus (receive, send)
bus=session
path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
peer=(label=unconfined),
# Untrusted Helpers are 3rd party apps that run in a different confinement
# context and are in a separate Mir session from the calling app (eg, an
# app that uses a content provider from another app). These helpers use
# Trusted Prompt Sessions to overlay their window over the calling app and
# need to get the Mir socket that was setup by the associated trusted helper
# (eg, content-hub). Typical consumers are content-hub providers,
# pay-service, url-dispatcher and possibly online-accounts.
# LP: #1462492 - this rule is suboptimal and should not be needed once we
# move to socket activation or FD passing
dbus (receive, send)
path=/com/canonical/UbuntuAppLaunch/@{APP_ID_DBUS}/*
interface="com.canonical.UbuntuAppLaunch.SocketDemangler"
member="GetMirSocket"
bus=session
peer=(label=unconfined),
# Allow access to the socket-demangler (needed for the above)
/usr/lib/@{multiarch}/ubuntu-app-launch/socket-demangler rmix,
Но если понадобится могу выложить частями.