/etc/apparmor.d/usr.bin.ricochet is in ricochet-im 1.1.4-2build1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | # Last Modified: Mon Jul 17 00:25:38 2017
#include <tunables/global>
# AppArmor Ricochet profile for Debian GNU/Linux
# This profile is Free Software and released under the same license as Ricochet
# itself.
#
# Copyleft 2015 Jacob Appelbaum <jacob@appelbaum.net>
#
/usr/bin/ricochet {
#include <abstractions/audio>
#include <abstractions/kde>
#include <abstractions/nameservice>
/usr/lib/** mr,
# Allow TCP connections
network inet stream,
network inet6 stream,
# Allow Ricochet to exec pulseaudio
# This makes me very sad...
# as it seems that you can't isolate playing and recording :(
/usr/bin/pulseaudio rix,
# Allow Ricochet to exec tor
/usr/bin/tor rix,
# Tor in turn needs various things
/usr/share/tor/geoip r,
/usr/share/tor/geoip6 r,
/proc/sys/kernel/random/uuid r,
/sys/devices/system/cpu/ r,
# Allow Ricochet to read tor daemons auth cookie
/run/tor/control.authcookie r,
# Allow Ricochet to read itself
/usr/bin/ricochet r,
/proc/[0-9]*/cmdline r,
/proc/[0-9]*/environ r,
# Allow Ricochet to generate audio
owner /{dev,run}/shm/pulse-shm* m,
# Allow Ricochet to draw the UX
/dev/dri/ r,
/sys/devices/pci[0-9]*/**/config r,
/sys/devices/pci[0-9]*/**/uevent r,
/run/udev/data/* r,
# Allow Ricochet to load GTK themes
/usr/share/themes/* r,
/usr/share/themes/**/* r,
owner @{HOME}/.gtkrc-2.0 r,
# Allow Ricochet to look up all your machine's PII
# Why does it need this stuff? BAD NEWS BEARS
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/.local/share/Ricochet/ rw,
owner @{HOME}/.local/share/Ricochet/** mrwk,
}
|