/etc/apparmor.d/usr.bin.media-hub-server is in media-hub 4.1.0+16.04.20160308.2-0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 | #include <tunables/global>
/usr/bin/media-hub-server (attach_disconnected) {
#include <abstractions/base>
#include <abstractions/audio>
#include <abstractions/nameservice>
#include <abstractions/dbus-session>
#include <abstractions/dbus-strict>
#include <abstractions/user-tmp>
#include <abstractions/video>
#include "/usr/share/apparmor/hardware/audio.d"
#include "/usr/share/apparmor/hardware/graphics.d"
#include "/usr/share/apparmor/hardware/video.d"
deny /dev/cpuctl/apps/tasks w,
deny /dev/cpuctl/apps/bg_non_interactive/tasks w,
@{PROC}/interrupts r,
owner @{PROC}/cmdline r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/fd/ r,
owner @{PROC}/[0-9]*/status r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/task/[0-9]*/ r,
owner @{PROC}/[0-9]*/cmdline r,
/etc/udev/udev.conf r,
deny /run/udev/data/** r,
# specific to the mediatek soc
@{PROC}/xlog/setfil r,
@{PROC}/M4U_device r,
/dev/Vcodec rw,
/sys/bus/platform/drivers/** rw,
/{,android/}system/etc/mtk_omx_core.cfg r,
/dev/devmap r,
@{PROC}/mtk_mdp_cmdq r,
/dev/video* r,
/sys/devices/**/video4linux/video** r,
/sys/devices/**/video4linux/**/uevent r,
/sys/kernel/debug/tracing/trace_marker w,
/dev/ashmem rw,
ptrace (read) peer=@{profile_name},
# Explicitly deny this-- it is not needed
/dev/fb0 rw,
# libhybris
/{,var/}run/shm/hybris_shm_data rw,
/usr/lib/@{multiarch}/libhybris/*.so mr,
/{,android/}system/build.prop r,
# These libraries can be in any of:
# /vendor/lib
# /system/lib
# /system/vendor/lib
# /android/vendor/lib
# /android/system/lib
# /android/system/vendor/lib
/{,android/}vendor/lib/** r,
/{,android/}vendor/lib/**.so m,
/{,android/}system/lib/** r,
/{,android/}system/lib/**.so m,
/{,android/}system/vendor/lib/** r,
/{,android/}system/vendor/lib/**.so m,
# attach_disconnected path
/dev/socket/property_service rw,
# Android logging triggered by platform. Can safely deny
deny /dev/log_main w,
deny /dev/log_radio w,
deny /dev/log_events w,
deny /dev/log_system w,
# Allow all access to powerd for now, but we can fine-tune this if needed
dbus (receive, send)
bus=system
path=/com/canonical/powerd
interface=com.canonical.powerd,
dbus (receive, send)
bus=system
path=/com/canonical/Unity/Screen
interface=com.canonical.Unity.Screen,
owner @{HOME}/.gstreamer*/registry.*.bin* rw,
owner @{HOME}/.gstreamer*/ rw,
owner @{HOME}/.cache/gstreamer*/ rw,
owner @{HOME}/.cache/gstreamer*/registry.*.bin* rw,
/usr/lib/@{multiarch}/gstreamer*/gstreamer*/gst-plugin-scanner ix,
# The user-tmp abstraction allows writes to these files, but gstreamer sometimes
# needs to also mmap its temporary files
owner /tmp/orcexec* m,
/{,android/}system/etc/media_codecs*.xml r,
/etc/wildmidi/wildmidi.cfg r,
# Allow read on all directories
/**/ r,
# camera click
/{,android/}system/media/audio/ui/camera_click.ogg r,
# custom sounds
/custom/usr/share/sounds/ r,
/custom/usr/share/sounds/** r,
# Allow read on click install directories, removable media and files in
# /usr/local/share.
/usr/share/** r,
/usr/local/share/** r,
/{media,mnt,opt,srv}/** r,
# Allow reading any files in non-hidden directories
owner @{HOME}/[^.]* rk,
owner @{HOME}/[^.]*/ rk,
owner @{HOME}/[^.]*/** rk,
# Allow reading files in XDG directories (ie, where apps are allowed to
# write)
owner @{HOME}/.cache/** rk,
owner @{HOME}/.local/share/** rk,
owner /{,var/}run/user/[0-9]*/** rk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.media-hub-server>
}
|