evince 3.22.1-3+deb9u1 / etc / apparmor.d / usr.bin.evince

# vim:syntax=apparmor
# Author: Kees Cook <kees@canonical.com>
#         Jamie Strandboge <jamie@canonical.com>

#include <tunables/global>

/usr/bin/evince {
  #include <abstractions/audio>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/evince>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>

  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-console-browsers>
  #include <abstractions/ubuntu-email>
  #include <abstractions/ubuntu-console-email>
  #include <abstractions/ubuntu-media-players>

  # Terminals for using console applications. These abstractions should ideally
  # have 'ix' to restrict access to what only evince is allowed to do
  #include <abstractions/ubuntu-gnome-terminal>

  # By default, we won't support launching a terminal program in Xterm or
  # KDE's konsole. It opens up too many unnecessary files for most users.
  # People who need this functionality can uncomment the following:
  ##include <abstractions/ubuntu-xterm>
  ##include <abstractions/ubuntu-konsole>

  /usr/bin/evince rmPx,
  /usr/bin/evince-previewer Px,
  /usr/bin/yelp Cx -> sanitized_helper,
  /usr/bin/bug-buddy px,
  # 'Show Containing Folder' (LP: #1022962)
  /usr/bin/nautilus Cx -> sanitized_helper, # Gnome
  /usr/bin/pcmanfm Cx -> sanitized_helper,  # LXDE
  /usr/bin/krusader Cx -> sanitized_helper, # KDE
  /usr/bin/thunar Cx -> sanitized_helper,   # XFCE

  # For Xubuntu to launch the browser
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,

  # For text attachments
  /usr/bin/gedit ixr,

  # For Send to
  /usr/bin/nautilus-sendto Cx -> sanitized_helper,

  # allow directory listings (ie 'r' on directories) so browsing via the file
  # dialog works
  / r,
  /**/ r,

  # This is need for saving files in your home directory without an extension.
  # Changing this to '@{HOME}/** r' makes it require an extension and more
  # secure (but with 'rw', we still have abstractions/private-files-strict in
  # effect).
  owner @{HOME}/** rw,
  owner /media/**  rw,
  owner @{HOME}/.local/share/gvfs-metadata/** l,
  owner /{,var/}run/user/*/gvfs-metadata/** l,

  owner @{HOME}/.gnome2/evince/*       rwl,
  owner @{HOME}/.gnome2/accels/        rw,
  owner @{HOME}/.gnome2/accelsevince   rw,
  owner @{HOME}/.gnome2/accels/evince  rw,

  # Maybe add to an abstraction?
  /etc/dconf/**                                       r,
  owner @{HOME}/.cache/dconf/user                     rw,
  owner @{HOME}/.config/dconf/user                    r,
  owner /{,var/}run/user/*/dconf/                     w,
  owner /{,var/}run/user/*/dconf/user                 rw,
  owner /{,var/}run/user/*/dconf-service/keyfile/     w,
  owner /{,var/}run/user/*/dconf-service/keyfile/user rw,

  owner /{,var/}run/user/*/at-spi2-*/   rw,
  owner /{,var/}run/user/*/at-spi2-*/** rw,

  # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
  # read and write for all supported file formats
  /**.[bB][mM][pP]     rw,
  /**.[dD][jJ][vV][uU] rw,
  /**.[dD][vV][iI]     rw,
  /**.[gG][iI][fF]     rw,
  /**.[jJ][pP][gG]     rw,
  /**.[jJ][pP][eE][gG] rw,
  /**.[oO][dD][pP]     rw,
  /**.[fFpP][dD][fF]   rw,
  /**.[pP][nN][mM]     rw,
  /**.[pP][nN][gG]     rw,
  /**.[pP][sS]         rw,
  /**.[eE][pP][sS]     rw,
  /**.[tT][iI][fF]     rw,
  /**.[tT][iI][fF][fF] rw,
  /**.[xX][pP][mM]     rw,
  /**.[gG][zZ]         rw,
  /**.[bB][zZ]2        rw,
  /**.[cC][bB][rRzZ7]  rw,
  /**.[xX][zZ]         rw,

  # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
  # directory a file is saved. This allows that behavior.
  owner /**/.goutputstream-* w,
}

/usr/bin/evince-previewer {
  #include <abstractions/audio>
  #include <abstractions/bash>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>
  #include <abstractions/dbus-strict>
  #include <abstractions/evince>
  #include <abstractions/ibus>
  #include <abstractions/nameservice>

  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-console-browsers>
  #include <abstractions/ubuntu-email>
  #include <abstractions/ubuntu-console-email>
  #include <abstractions/ubuntu-media-players>

  # Terminals for using console applications. These abstractions should ideally
  # have 'ix' to restrict access to what only evince is allowed to do
  #include <abstractions/ubuntu-gnome-terminal>

  # By default, we won't support launching a terminal program in Xterm or
  # KDE's konsole. It opens up too many unnecessary files for most users.
  # People who need this functionality can uncomment the following:
  ##include <abstractions/ubuntu-xterm>

  /usr/bin/evince-previewer mr,
  /usr/bin/yelp Cx -> sanitized_helper,
  /usr/bin/bug-buddy px,

  # Lenient, but remember we still have abstractions/private-files-strict in
  # effect). Write is needed for 'print to file' from the previewer.
  @{HOME}/ r,
  @{HOME}/** rw,

  # Maybe add to an abstraction?
  owner /{,var/}run/user/*/dconf/          w,
  owner /{,var/}run/user/*/dconf/user      rw,
}

/usr/bin/evince-thumbnailer {
  #include <abstractions/dbus-session>
  #include <abstractions/evince>

  # The thumbnailer doesn't need access to everything in the nameservice
  # abstraction. Allow reading of /etc/passwd and /etc/group, but suppress
  # logging denial of nsswitch.conf.
  /etc/passwd r,
  /etc/group r,
  deny /etc/nsswitch.conf r,

  # TCP/UDP network access for NFS
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,

  /usr/bin/evince-thumbnailer mr,

  # Lenient, but remember we still have abstractions/private-files-strict in
  # effect).
  @{HOME}/ r,
  owner @{HOME}/** rw,
  owner /media/**  rw,
}