# vim:syntax=apparmor
#
# abstraction used by evince binaries
#
#include <abstractions/gnome>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-helpers>
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/mountinfo r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/status r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# move out to the gnome abstraction if anyone else needs these
/etc/udev/udev.conf r,
/sys/devices/**/block/**/uevent r,
# apport
/etc/default/apport r,
# XFCE
/etc/xfce4/defaults.list r,
# Lubuntu
/etc/xdg/lubuntu/applications/defaults.list r,
# evince specific
/etc/ r,
/etc/fstab r,
/etc/texmf/ r,
/etc/texmf/** r,
/etc/xpdf/* r,
owner @{HOME}/.config/evince/ rw,
owner @{HOME}/.config/evince/** rwkl,
/usr/bin/gs-esp ixr,
/usr/bin/mktexpk Cx -> sanitized_helper,
/usr/bin/mktextfm Cx -> sanitized_helper,
/usr/bin/dvipdfm Cx -> sanitized_helper,
/usr/bin/dvipdfmx Cx -> sanitized_helper,
# gio-launch-desktop was replaced by a very small shell script
/{usr/,}bin/{dash,bash} ixr,
# With older GLib we might still be on the fallback code path
# (remove this after Debian 11 and Ubuntu 20.04)
/usr/lib/*/glib-2.0/gio-launch-desktop ixr,
# supported archivers
/{usr/,}bin/gzip ixr,
/{usr/,}bin/bzip2 ixr,
/usr/bin/unrar* ixr,
/usr/bin/unzip ixr,
/usr/bin/7zr ixr,
/usr/lib/p7zip/7zr ixr,
/usr/bin/7za ixr,
/usr/lib/p7zip/7za ixr,
/usr/bin/zipnote ixr,
/{usr/,}bin/tar ixr,
/usr/bin/xz ixr,
# allow read access to anything in /usr/share, for plugins and input methods
/usr/local/share/** r,
/usr/share/** r,
/usr/lib/ghostscript/** mr,
/var/lib/ghostscript/** r,
/var/lib/texmf/{,**} r,
# from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow
# read for all supported file formats
/**.[aA][iI] r,
/**.[bB][mM][pP] r,
/**.[dD][jJ][vV][uU] r,
/**.[dD][vV][iI] r,
/**.[gG][iI][fF] r,
/**.[jJ][pP][gG] r,
/**.[jJ][pP][eE][gG] r,
/**.[oO][dD][pP] r,
/**.[fFpP][dD][fF] r,
/**.[pP][nN][mM] r,
/**.[pP][nN][gG] r,
/**.[pP][sS] r,
/**.[eE][pP][sS] r,
/**.[eE][pP][sS][fFiI23] r,
/**.[tT][iI][fF] r,
/**.[tT][iI][fF][fF] r,
/**.[xX][pP][mM] r,
/**.[gG][zZ] r,
/**.[bB][zZ]2 r,
/**.[cC][bB][rRzZ7] r,
/**.[xX][zZ] r,
# Use abstractions/private-files instead of abstractions/private-files-strict
# and add the sensitive files manually to work around LP: #451422. The goal
# is to disallow access to the .mozilla folder in general, but to allow
# access to the Cache directory, which the browser may tell evince to open
# from directly.
#include <abstractions/private-files>
audit deny @{HOME}/.gnupg/{,**} mrwkl,
audit deny @{HOME}/.ssh/{,**} mrwkl,
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.gnome2/ w,
audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl,
audit deny @{HOME}/.kde/{,share/,share/apps/} w,
audit deny @{HOME}/.kde/share/apps/kwallet/{,**} mrwkl,
audit deny @{HOME}/.pki/{,nssdb/} w,
audit deny @{HOME}/.pki/nssdb/{,**} wl,
audit deny @{HOME}/.mozilla/{,**/} w,
audit deny @{HOME}/.mozilla/*/*/* mrwkl,
audit deny @{HOME}/.mozilla/**/bookmarkbackups/{,**} mrwkl,
audit deny @{HOME}/.mozilla/**/chrome/{,**} mrwkl,
audit deny @{HOME}/.mozilla/**/extensions/{,**} mrwkl,
audit deny @{HOME}/.mozilla/**/gm_scripts/{,**} mrwkl,
audit deny @{HOME}/.config/ w,
audit deny @{HOME}/.config/chromium/{,**} mrwkl,
audit deny @{HOME}/.config/evolution/{,**} mrwkl,
audit deny @{HOME}/.evolution/{,**} mrwkl,
audit deny @{HOME}/.kde/{,share/,share/apps/} w,
audit deny @{HOME}/.kde/share/config/{,**} mrwkl,
audit deny @{HOME}/.kde/share/apps/kmail/{,**} mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/{,**/} w,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/{,**} mrwkl,
# When LP: #451422 is fixed, change the above to simply be:
##include <abstractions/private-files-strict>
#owner @{HOME}/.mozilla/**/*Cache/* r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.evince>
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| apparmor_api | Folder | 0755 |
|
|
| ubuntu-browsers.d | Folder | 0755 |
|
|
| X | File | 1.72 KB | 0644 |
|
| apache2-common | File | 849 B | 0644 |
|
| aspell | File | 308 B | 0644 |
|
| audio | File | 1.82 KB | 0644 |
|
| authentication | File | 1.55 KB | 0644 |
|
| base | File | 6.39 KB | 0644 |
|
| bash | File | 1.48 KB | 0644 |
|
| consoles | File | 798 B | 0644 |
|
| cups-client | File | 714 B | 0644 |
|
| dbus | File | 593 B | 0644 |
|
| dbus-accessibility | File | 630 B | 0644 |
|
| dbus-accessibility-strict | File | 637 B | 0644 |
|
| dbus-session | File | 638 B | 0644 |
|
| dbus-session-strict | File | 919 B | 0644 |
|
| dbus-strict | File | 677 B | 0644 |
|
| dconf | File | 246 B | 0644 |
|
| dovecot-common | File | 562 B | 0644 |
|
| dri-common | File | 434 B | 0644 |
|
| dri-enumerate | File | 281 B | 0644 |
|
| enchant | File | 1.96 KB | 0644 |
|
| evince | File | 4.29 KB | 0644 |
|
| fcitx | File | 456 B | 0644 |
|
| fcitx-strict | File | 712 B | 0644 |
|
| fonts | File | 2.04 KB | 0644 |
|
| freedesktop.org | File | 1.26 KB | 0644 |
|
| gnome | File | 3.54 KB | 0644 |
|
| gnupg | File | 356 B | 0644 |
|
| ibus | File | 1 KB | 0644 |
|
| kde | File | 2.71 KB | 0644 |
|
| kde-globals-write | File | 298 B | 0644 |
|
| kde-icon-cache-write | File | 138 B | 0644 |
|
| kde-language-write | File | 458 B | 0644 |
|
| kerberosclient | File | 1.14 KB | 0644 |
|
| ldapclient | File | 754 B | 0644 |
|
| libpam-systemd | File | 659 B | 0644 |
|
| likewise | File | 489 B | 0644 |
|
| mdns | File | 457 B | 0644 |
|
| mesa | File | 577 B | 0644 |
|
| mir | File | 593 B | 0644 |
|
| mozc | File | 471 B | 0644 |
|
| mysql | File | 641 B | 0644 |
|
| nameservice | File | 4.96 KB | 0644 |
|
| nis | File | 524 B | 0644 |
|
| nvidia | File | 649 B | 0644 |
|
| opencl | File | 269 B | 0644 |
|
| opencl-common | File | 404 B | 0644 |
|
| opencl-intel | File | 564 B | 0644 |
|
| opencl-mesa | File | 527 B | 0644 |
|
| opencl-nvidia | File | 785 B | 0644 |
|
| opencl-pocl | File | 2.75 KB | 0644 |
|
| openssl | File | 470 B | 0644 |
|
| orbit2 | File | 93 B | 0644 |
|
| p11-kit | File | 899 B | 0644 |
|
| perl | File | 872 B | 0644 |
|
| php | File | 1.02 KB | 0644 |
|
| php5 | File | 105 B | 0644 |
|
| postfix-common | File | 1.17 KB | 0644 |
|
| private-files | File | 1.51 KB | 0644 |
|
| private-files-strict | File | 1.02 KB | 0644 |
|
| python | File | 1.5 KB | 0644 |
|
| qt5 | File | 762 B | 0644 |
|
| qt5-compose-cache-write | File | 278 B | 0644 |
|
| qt5-settings-write | File | 398 B | 0644 |
|
| recent-documents-write | File | 346 B | 0644 |
|
| ruby | File | 906 B | 0644 |
|
| samba | File | 830 B | 0644 |
|
| smbpass | File | 476 B | 0644 |
|
| ssl_certs | File | 1.26 KB | 0644 |
|
| ssl_keys | File | 790 B | 0644 |
|
| svn-repositories | File | 1.61 KB | 0644 |
|
| ubuntu-bittorrent-clients | File | 698 B | 0644 |
|
| ubuntu-browsers | File | 1.63 KB | 0644 |
|
| ubuntu-console-browsers | File | 611 B | 0644 |
|
| ubuntu-console-email | File | 601 B | 0644 |
|
| ubuntu-email | File | 977 B | 0644 |
|
| ubuntu-feed-readers | File | 339 B | 0644 |
|
| ubuntu-gnome-terminal | File | 182 B | 0644 |
|
| ubuntu-helpers | File | 3.32 KB | 0644 |
|
| ubuntu-konsole | File | 343 B | 0644 |
|
| ubuntu-media-players | File | 2.18 KB | 0644 |
|
| ubuntu-unity7-base | File | 2.39 KB | 0644 |
|
| ubuntu-unity7-launcher | File | 191 B | 0644 |
|
| ubuntu-unity7-messaging | File | 192 B | 0644 |
|
| ubuntu-xterm | File | 237 B | 0644 |
|
| user-download | File | 876 B | 0644 |
|
| user-mail | File | 837 B | 0644 |
|
| user-manpages | File | 889 B | 0644 |
|
| user-tmp | File | 654 B | 0644 |
|
| user-write | File | 864 B | 0644 |
|
| video | File | 127 B | 0644 |
|
| vulkan | File | 503 B | 0644 |
|
| wayland | File | 580 B | 0644 |
|
| web-data | File | 705 B | 0644 |
|
| winbind | File | 739 B | 0644 |
|
| wutmp | File | 585 B | 0644 |
|
| xad | File | 883 B | 0644 |
|
| xdg-desktop | File | 673 B | 0644 |
|