Commit 85b32b91 authored by Emanuele Aina's avatar Emanuele Aina

chaiwala-apparmor-profiles: Ship the tracker profiles

They used to be carried by the tracker package itself, let's ship them from
the general profile package and look into upstreaming them later.
Signed-off-by: Emanuele Aina's avatarEmanuele Aina <emanuele.aina@collabora.com>
parent 24d6fd2e
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2012-2013 Collabora Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Depends: tunables/global (tunables/multiarch)
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
# generic D-Bus rules for Tracker processes
dbus send
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus (send) bus=session peer=(name=org.freedesktop.Tracker1),
# Tracker's own files
/usr/share/tracker/ r,
/usr/share/tracker/** r,
/usr/lib/tracker/ r,
/usr/lib/tracker/tracker-* mr,
/usr/lib/tracker-0.14/ r,
/usr/lib/tracker-0.14/** mr,
/usr/lib/@{multiarch}/tracker-1.0/ r,
/usr/lib/@{multiarch}/tracker-1.0/** mr,
# Gio checks for Gvfs volume monitors on start if available
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
# Tracker local storage
owner @{HOME}/.local/share/tracker/ rwk,
owner @{HOME}/.local/share/tracker/** rwk,
owner @{HOME}/.cache/tracker/ rwk,
owner @{HOME}/.cache/tracker/** rwk,
owner @{HOME}/.config/tracker/ rwk,
owner @{HOME}/.config/tracker/** rwk,
# Tracker creates this directory, but then does nothing with it
# Fixed in 0.14.3 (commit: cd9c3b3e)
deny /tmp/tracker-chaiwala/ rw,
owner @{PROC}/*/fd/ r,
owner @{PROC}/*/cmdline r,
# Tracker Chaiwala tests
/etc/machine-id rw,
/usr/bin/dbus-launch ixr,
/var/tmp/chaiwala-tests/** rwk,
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2012-2014, 2016 Collabora Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
# Tracker clients can do direct queries with tracker-store
dbus (send) bus=session peer=(name=org.freedesktop.Tracker1),
# Tracker clients can also communicate with miner-fs and extract
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-miner-fs),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-miner-user-guides),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-miner-apps),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-extract),
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2015 Collabora Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Depends: tunables/global (tunables/multiarch)
# Generic D-Bus rules for Tracker miner processes
#include <abstractions/chaiwala-base>
#include <abstractions/tracker>
#include <abstractions/gsettings>
#include <abstractions/nameservice>
#include <abstractions/chaiwala-media>
#include <abstractions/freedesktop.org>
#include <abstractions/dbus-session-strict>
dbus (send) bus=session peer=(label=unconfined),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-extract),
dbus (send) bus=session peer=(label=/usr/bin/tracker),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-store),
dbus (receive) bus=session peer=(label=unconfined),
dbus (receive) bus=session peer=(label=/usr/bin/tracker),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-extract),
signal (receive) peer=/usr/bin/tracker,
# All miners use /proc/sys/fs/inotify/max_user_watches
@{PROC}/sys/fs/inotify/* rw,
# All miners may potentially request thumbnails for files
dbus (send) bus=session peer=(label=/usr/lib/*/tumbler-1/tumblerd),
dbus (receive) bus=session peer=(label=/usr/lib/*/tumbler-1/tumblerd),
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2012-2013, 2015 Collabora Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
/usr/lib/tracker/tracker-miner-fs {
#include <abstractions/tracker-miner>
#include <abstractions/dbus-strict>
dbus bind bus=session name=org.freedesktop.Tracker1.Miner.Files,
dbus bind bus=session name=org.freedesktop.Tracker1.Miner.Files.*,
# For power management via upower
dbus (receive) bus=system peer=(label=unconfined),
dbus (send) bus=system peer=(label=unconfined),
# For GVolumeMonitor backend
dbus (send) bus=session peer=(label=/usr/lib/gvfs/gvfs*),
dbus (receive) bus=session peer=(label=/usr/lib/gvfs/gvfs*),
# For Application bundles
# These rules will only allow communication with app-bundles if the app-bundle
# also has a corresponding rule allowing it to receive from, or send to one of
# the various Tracker components.
dbus (send, receive) bus=session peer=(label=/Applications/**),
dbus (send, receive) bus=session peer=(label=/usr/Applications/**),
owner @{PROC}/*/mounts r,
# Used by chaiwala-tests
/tmp/tracker-tests-*/config/ rw,
/tmp/tracker-tests-*/config/** rw,
}
/usr/lib/tracker/tracker-miner-apps {
#include <abstractions/tracker-miner>
dbus bind bus=session name=org.freedesktop.Tracker1.Miner.Applications,
# XDG application directories
/usr/share/desktop-directories/*.directory rk,
/usr/share/applications/*.desktop rk,
/usr/lib/libreoffice/share/xdg/*.desktop rk,
/usr/Applications/*/share/applications/*.desktop rk,
# For Application bundles
dbus (send, receive) bus=session peer=(label=/Applications/**),
dbus (send, receive) bus=session peer=(label=/usr/Applications/**),
}
/usr/lib/tracker/tracker-miner-user-guides {
#include <abstractions/tracker-miner>
dbus bind bus=session name=org.freedesktop.Tracker1.Miner.Userguides,
# For Application bundles
dbus (send, receive) bus=session peer=(label=/Applications/**),
dbus (send, receive) bus=session peer=(label=/usr/Applications/**),
}
/usr/lib/tracker/tracker-extract {
#include <abstractions/chaiwala-base>
#include <abstractions/tracker>
#include <abstractions/gsettings>
#include <abstractions/nameservice>
#include <abstractions/chaiwala-media>
#include <abstractions/gstreamer-1.0>
#include <abstractions/freedesktop.org>
#include <abstractions/dbus-session-strict>
dbus bind bus=session name=org.freedesktop.Tracker1.Extract,
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-fs),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-apps),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-user-guides),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-store),
signal (receive) peer=/usr/bin/tracker,
owner @{PROC}/*/mounts r,
# Media art thumbnailing
owner @{HOME}/.cache/media-art/* rw,
owner @{HOME}/.cache/media-art/ rw,
owner /{,run/}media/*/**/.mediaartlocal/ rw,
owner /{,run/}media/*/**/.mediaartlocal/* rw,
# udev access for removable devices
/etc/udev/udev.conf r,
}
/usr/lib/tracker/tracker-store {
#include <abstractions/chaiwala-base>
#include <abstractions/tracker>
#include <abstractions/gsettings>
#include <abstractions/nameservice>
#include <abstractions/chaiwala-media>
#include <abstractions/freedesktop.org>
#include <abstractions/dbus-session-strict>
dbus bind bus=session name=org.freedesktop.Tracker1,
dbus (send) bus=session
peer=(label=unconfined),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-extract),
dbus (send) bus=session peer=(label=/usr/bin/tracker),
dbus (receive) bus=session peer=(label=/usr/bin/tracker),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-fs),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-apps),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-user-guides),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-extract),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-info),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-stats),
# Can receive from unconfined processes
dbus (receive) bus=session,
signal (receive) peer=/usr/bin/tracker,
# Tracker-store tries to mknod a temporary file here
/var/tmp/*_* rw,
# Used by chaiwala-tests
/tmp/tracker-tests-*/config/ rw,
/tmp/tracker-tests-*/config/** rw,
/tmp/tracker-tests-*/share/ rw,
/tmp/tracker-tests-*/share/** rw,
}
/usr/lib/tracker/tracker-writeback {
# Tracker writeback is disabled, so we don't let it run at all
}
/usr/bin/tracker-control {
# Tracker control is replaced, so we don't let it run at all
}
/usr/bin/tracker-import {
# Dev tool; won't be shipped, and shouldn't be used.
}
/usr/bin/tracker-info {
# Tracker control is replaced, so we don't let it run at all
}
/usr/bin/tracker-stats {
# Tracker control is replaced, so we don't let it run at all
}
/usr/bin/tracker-sparql {
# Tracker control is replaced, so we don't let it run at all
}
/usr/bin/tracker {
#include <abstractions/chaiwala-base>
#include <abstractions/tracker>
#include <abstractions/gsettings>
#include <abstractions/nameservice>
#include <abstractions/dbus-session-strict>
dbus (send) bus=session peer=(label=unconfined),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-extract),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-miner-apps),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-miner-fs),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-miner-user-guides),
dbus (send) bus=session peer=(label=/usr/lib/tracker/tracker-store),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-extract),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-apps),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-fs),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-miner-user-guides),
dbus (receive) bus=session peer=(label=/usr/lib/tracker/tracker-store),
dbus (send) bus=session peer=(label=/usr/lib/dconf/dconf-service),
signal (send) peer=unconfined,
signal (send) peer=/usr/lib/tracker/tracker-extract,
signal (send) peer=/usr/lib/tracker/tracker-miner-fs,
signal (send) peer=/usr/lib/tracker/tracker-miner-apps,
signal (send) peer=/usr/lib/tracker/tracker-miner-user-guides,
signal (send) peer=/usr/lib/tracker/tracker-store,
@{PROC}/ r,
/usr/bin/tracker mr,
}
etc/apparmor.d/abstractions
etc/apparmor.d/tunables
etc/apparmor.d/lib.systemd.systemd-logind
etc/apparmor.d/usr.lib.tracker
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment