This file is indexed.

/etc/apparmor.d/abstractions/ubuntu-unity7-base is in apparmor 2.9.0-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2013-2014 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

#
# Rules common to applications running under Unity 7
#

#include <abstractions/gnome>

  # Allow connecting to session bus and where to connect to services
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=Hello
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=session
       path=/org/freedesktop/{db,DB}us
       interface=org.freedesktop.DBus
       member={Add,Remove}Match
       peer=(name=org.freedesktop.DBus),
  # NameHasOwner and GetNameOwner could leak running processes and apps
  # depending on how services are implemented
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetNameOwner
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=NameHasOwner
       peer=(name=org.freedesktop.DBus),

  # Allow starting services on the session bus (actual communications with
  # the service are mediated elsewhere)
  dbus (send)
       bus=session
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=StartServiceByName
       peer=(name=org.freedesktop.DBus),

  # Allow connecting to system bus and where to connect to services. Put these
  # here so we don't need to repeat these rules in multiple places (actual
  # communications with any system services is mediated elsewhere). This does
  # allow apps to brute-force enumerate system services, but our system
  # services aren't a secret.
  /{,var/}run/dbus/system_bus_socket rw,
  dbus (send)
       bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=Hello
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=system
       path=/org/freedesktop/{db,DB}us
       interface=org.freedesktop.DBus
       member={Add,Remove}Match
       peer=(name=org.freedesktop.DBus),
  # NameHasOwner and GetNameOwner could leak running processes and apps
  # depending on how services are implemented
  dbus (send)
       bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetNameOwner
       peer=(name=org.freedesktop.DBus),
  dbus (send)
       bus=system
       path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=NameHasOwner
       peer=(name=org.freedesktop.DBus),

  #
  # Access required for connecting to/communication with Unity HUD
  #
  dbus (send)
       bus=session
       path="/com/canonical/hud",
  dbus (send)
       bus=session
       interface="com.canonical.hud.*",
  dbus (send)
       bus=session
       path="/com/canonical/hud/applications/*",
  dbus (receive)
       bus=session
       path="/com/canonical/hud",
  dbus (receive)
       bus=session
       interface="com.canonical.hud.*",

  #
  # Allow access for connecting to/communication with the appmenu
  #
  # dbusmenu
  dbus (send)
       bus=session
       interface="com.canonical.AppMenu.*",
  dbus (receive, send)
        bus=session
        path=/com/canonical/menu/**,

  # gmenu
  dbus (receive, send)
       bus=session
       interface=org.gtk.Actions,
  dbus (receive, send)
       bus=session
       interface=org.gtk.Menus,

  #
  # Access required for using freedesktop notifications
  #
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=GetCapabilities,
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=GetServerInformation,
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=Notify,
  dbus (receive)
       bus=session
       member="Notify"
       peer=(name="org.freedesktop.DBus"),
  dbus (receive)
       bus=session
       path=/org/freedesktop/Notifications
       member=NotificationClosed,
  dbus (send)
       bus=session
       path=/org/freedesktop/Notifications
       member=CloseNotification,

  # accessibility
  dbus (send)
       bus=session
       peer=(name=org.a11y.Bus),
  dbus (receive)
       bus=session
       interface=org.a11y.atspi*,
  dbus (receive, send)
       bus=accessibility,

  #
  # Deny potentially dangerous access
  #
  deny dbus bus=session path=/com/canonical/[Uu]nity/[Dd]ebug**,