VLC Apparmor Profile

I have a profile for VLC that works on 64bit Ubuntu with no abstractions. If you’re on another distro or not 64bit, just add <abstraction/base> and remove all of the libraries.

I built this a long time ago to see how annoying it would be to remove abstractions, so it may not be perfect, I haven’t looked at it in a while, but I know it runs fine on my system.

Decided to post it because of a recent writeup about a VLC exploit, here.

 

# Last Modified: Sat Sep  7 23:23:17 2013

#include <tunables/global>

 

/usr/bin/vlc {

 deny network inet dgram,

 deny /etc/apparmor.d/abstractions/base r,

 

 / r,

 /bin/dash rCx,

 /dev/ r,

 /dev/ati/card* rw,

 /dev/dri/card* rw,

 /dev/null rw,

 /dev/snd/ r,

 /dev/snd/control* rw,

 /dev/tty rw,

 /dev/urandom r,

 /etc/drirc r,

 /etc/fonts/** r,

 /etc/gai.conf r,

 /etc/host.conf r,

 /etc/hosts r,

 /etc/ld.so.cache r,

 /etc/locale.alias r,

 /etc/localtime r,

 /etc/nsswitch.conf r,

 /etc/passwd r,

 /etc/pkcs11/modules/ r,

 /etc/pkcs11/modules/gnome-keyring.module r,

 /etc/pulse/client.conf r,

 /etc/services r,

 /etc/ssl/certs/ca-certificates.crt r,

 /etc/xdg/Trolltech.conf rk,

 /etc/xdg/sni-qt.conf rk,

 /home/ r,

 /home/*/* r,

 /home/*/.config/ rw,

 /home/*/.config/** rk,

 /home/*/.config/Trolltech.conf* rwk,

 /home/*/.config/gtk-*/gtkfilechooser.ini* rw,

 /home/*/.config/vlc/ rw,

 /home/*/.config/vlc/** rwk,

 /home/*/.dbus/ w,

 /home/*/.dbus/session-bus/ w,

 /home/*/.dbus/session-bus/* w,

 /home/*/.local/ w,

 /home/*/.local/share/ w,

 /home/*/.local/share/* rw,

 /home/*/.local/share/icons/ r,

 /home/*/.local/share/icons/hicolor/**/ r,

 /home/*/.local/share/mime/* r,

 /home/*/.local/share/vlc/ rw,

 /home/*/.local/share/vlc/* rw,

 /home/*/.local/share/vlc/*/ rw,

 /home/*/.pulse-cookie rwk,

 /home/*/.pulse/ r,

 /home/*/Documents/ r,

 /home/*/Documents/** rwk,

 /home/*/Downloads/ r,

 /home/*/Downloads/** rwk,

 /home/*/Videos/** rwk,

 /lib/libnss_mdns4.so* mr,

 /lib/libnss_mdns4_minimal.so* mr,

 /lib/x86_64-linux-gnu/ld-*.so mr,

 /lib/x86_64-linux-gnu/libbz2.so.* mr,

 /lib/x86_64-linux-gnu/libc-*.so mr,

 /lib/x86_64-linux-gnu/libcap.so.* mr,

 /lib/x86_64-linux-gnu/libcom_err.so.* mr,

 /lib/x86_64-linux-gnu/libcrypt-*.so mr,

 /lib/x86_64-linux-gnu/libdbus-*.so* mr,

 /lib/x86_64-linux-gnu/libdl-*so mr,

 /lib/x86_64-linux-gnu/libexpat.so.* mr,

 /lib/x86_64-linux-gnu/libgcc_s.so.* mr,

 /lib/x86_64-linux-gnu/libgcrypt.so.* mr,

 /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,

 /lib/x86_64-linux-gnu/libgpg-error.so.* mr,

 /lib/x86_64-linux-gnu/libjson.so.* mr,

 /lib/x86_64-linux-gnu/libkeyutils.so.* mr,

 /lib/x86_64-linux-gnu/liblzma.so.* mr,

 /lib/x86_64-linux-gnu/libm-*so mr,

 /lib/x86_64-linux-gnu/libncurses.so.* mr,

 /lib/x86_64-linux-gnu/libncursesw.so.* mr,

 /lib/x86_64-linux-gnu/libnsl-*.so mr,

 /lib/x86_64-linux-gnu/libnss_compat-*.so mr,

 /lib/x86_64-linux-gnu/libnss_dns-*.so mr,

 /lib/x86_64-linux-gnu/libnss_files-*.so mr,

 /lib/x86_64-linux-gnu/libnss_nis-*.so mr,

 /lib/x86_64-linux-gnu/libpcre.so.* mr,

 /lib/x86_64-linux-gnu/libpng*.so.* mr,

 /lib/x86_64-linux-gnu/libpthread-*so mr,

 /lib/x86_64-linux-gnu/libresolv-*.so mr,

 /lib/x86_64-linux-gnu/librt-*so mr,

 /lib/x86_64-linux-gnu/libselinux.so.* mr,

 /lib/x86_64-linux-gnu/libslang.so.* mr,

 /lib/x86_64-linux-gnu/libtinfo.so.* mr,

 /lib/x86_64-linux-gnu/libudev.so.* mr,

 /lib/x86_64-linux-gnu/libusb-*.so.* mr,

 /lib/x86_64-linux-gnu/libuuid.so.* mr,

 /lib/x86_64-linux-gnu/libwrap.so.* mr,

 /lib/x86_64-linux-gnu/libz.so.* mr,

 /media/** rwk,

 /proc/ r,

 /proc/*/auxv r,

 /proc/*/cmdline r,

 /proc/*/fd/ r,

 /proc/*/maps r,

 /proc/*/stat r,

 /proc/*/status r,

 /proc/ati/ r,

 /proc/filesystems r,

 /proc/meminfo r,

 /proc/modules r,

 /proc/sys/kernel/pid_max r,

 /proc/sys/vm/overcommit_memory r,

 /proc/uptime r,

 /run/resolvconf/resolv.conf r,

 /run/shm/ r,

 /run/shm/pulse-shm-* rw,

 /run/user/*/dconf/user rw,

 /sys/devices/system/*/ r,

 /sys/devices/system/cpu/online r,

 owner /tmp/** rw,

 /usr/bin/vlc r,

 /usr/bin/xdg-screensaver Cx,

 /usr/lib/fglrx/libGL.so.* mr,

 /usr/lib/fglrx/libatiuki.so.* mr,

 /usr/lib/liba*-*.so* mr,

 /usr/lib/libcddb.so* mr,

 /usr/lib/libcdio.so* mr,

 /usr/lib/libdca.so* mr,

 /usr/lib/libdvbpsi.so* mr,

 /usr/lib/libenca.so* mr,

 /usr/lib/libiso9660.so* mr,

 /usr/lib/libkate.so* mr,

 /usr/lib/liblirc_client.so* mr,

 /usr/lib/libmodplug.so* mr,

 /usr/lib/libmpcdec.so* mr,

 /usr/lib/libresid-builder.so* mr,

 /usr/lib/libsidplay2.so* mr,

 /usr/lib/libtar.so* mr,

 /usr/lib/libtwolame.so* mr,

 /usr/lib/libvcdinfo.so* mr,

 /usr/lib/libvlc.so* mr,

 /usr/lib/libvlccore.so* mr,

 /usr/lib/locale/locale-archive r,

 /usr/lib/vlc/lua/meta/reader/ r,

 /usr/lib/vlc/lua/meta/reader/filename.luac r,

 /usr/lib/vlc/lua/modules/simplexml.luac r,

 /usr/lib/vlc/lua/playlist/ r,

 /usr/lib/vlc/lua/playlist/* r,

 /usr/lib/vlc/plugins/ r,

 /usr/lib/vlc/plugins/*/ r,

 /usr/lib/vlc/plugins/*/lib*.so mr,

 /usr/lib/vlc/plugins/plugins.dat* rw,

 /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_conf_pulse.so mr,

 /usr/lib/x86_64-linux-gnu/dri/r*_dri.so mr,

 /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/CP*.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/UTF-*.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mr,

 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders.cache mr,

 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders/lib*.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/ r,

 /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache r,

 /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/engines/libmurrine.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/gtk.immodules r,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/immodules/im-ibus.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/menuproxies/libappmenu.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/modules/libcanberra-gtk-module.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/modules/liboverlay-scrollbar.so mr,

 /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,

 /usr/lib/x86_64-linux-gnu/libFLAC.so.* mr,

 /usr/lib/x86_64-linux-gnu/libICE.so.* mr,

 /usr/lib/x86_64-linux-gnu/libLLVM-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtCore.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtDBus.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtGui.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtSvg.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtXml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSDL-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSDL_image-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSM.so.* mr,

 /usr/lib/x86_64-linux-gnu/libX11-xcb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libX11.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXau.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXcomposite.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXcursor.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXdamage.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXdmcp.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXext.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXfixes.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXinerama.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXpm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXrandr.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXrender.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXt.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXxf86vm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libaa.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasn1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasound.so.* mr,

 /usr/lib/x86_64-linux-gnu/libass.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasyncns.so.* mr,

 /usr/lib/x86_64-linux-gnu/libatk-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libaudio.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavahi-client.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavahi-common.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavc*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavcodec.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavformat.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavutil.so.* mr,

 /usr/lib/x86_64-linux-gnu/libbluray.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcaca.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcairo.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcanberra-gtk.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcanberra.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcroco-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcrystalhd.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdatrie.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-qt.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdc*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirac_encoder.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirect-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirectfb-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdricore*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdrm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdrm_radeon.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdvdnav.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdvdread.so.* mr,

 /usr/lib/x86_64-linux-gnu/libebml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfaad.so.* mr,

 /usr/lib/x86_64-linux-gnu/libffi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfontconfig.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfreetype.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfribidi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfusion-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgallium.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgconf-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgdk-x11-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgio-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libglapi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgmodule-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgnutls.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgobject-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgpm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgsm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgssapi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgtk-x11-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libharfbuzz.so.* mr,

 /usr/lib/x86_64-linux-gnu/libhcrypto.so.* mr,

 /usr/lib/x86_64-linux-gnu/libheimbase.so.* mr,

 /usr/lib/x86_64-linux-gnu/libheimntlm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libhx509.so.* mr,

 /usr/lib/x86_64-linux-gnu/libibus-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicudata.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicui18n.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicule.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicuuc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libixml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjbig.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjpeg.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjson.so.* mr,

 /usr/lib/x86_64-linux-gnu/libk5crypto.so.* mr,

 /usr/lib/x86_64-linux-gnu/libkrb5.so.* mr,

 /usr/lib/x86_64-linux-gnu/libkrb5support.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblber-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblcms.so.* mr,

 /usr/lib/x86_64-linux-gnu/libldap_r-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libltdl.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblua5.1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmad.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmatroska.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmng.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmpeg*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmtp.so.* mr,

 /usr/lib/x86_64-linux-gnu/libnotify.so.* mr,

 /usr/lib/x86_64-linux-gnu/libogg.so* mr,

 /usr/lib/x86_64-linux-gnu/libopus.so.* mr,

 /usr/lib/x86_64-linux-gnu/liborc-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libp11-kit.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpango-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpangocairo-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpangoft2-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpixman-1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpostproc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libproxy.so.* mr,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/ r,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/config_gnome*.so mr,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/network_networkmanager.so mr,

 /usr/lib/x86_64-linux-gnu/libpulse-simple.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpulse.so.* mr,

 /usr/lib/x86_64-linux-gnu/libraw*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libroken.so.* mr,

 /usr/lib/x86_64-linux-gnu/librom*.so.* mr,

 /usr/lib/x86_64-linux-gnu/librsvg-2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsamplerate.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsasl2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libschroedinger-*.so* mr,

 /usr/lib/x86_64-linux-gnu/libshout.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsmbclient.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsndfile.so.* mr,

 /usr/lib/x86_64-linux-gnu/libspeex.so* mr,

 /usr/lib/x86_64-linux-gnu/libspeexdsp.so* mr,

 /usr/lib/x86_64-linux-gnu/libsqlite3.so* mr,

 /usr/lib/x86_64-linux-gnu/libssh2.so* mr,

 /usr/lib/x86_64-linux-gnu/libstdc*.so* mr,

 /usr/lib/x86_64-linux-gnu/libswscale.so* mr,

 /usr/lib/x86_64-linux-gnu/libtag.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtalloc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtasn1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtdb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libthai.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtheora.so* mr,

 /usr/lib/x86_64-linux-gnu/libtheoradec.so* mr,

 /usr/lib/x86_64-linux-gnu/libtheoraenc.so* mr,

 /usr/lib/x86_64-linux-gnu/libthreadutil.so* mr,

 /usr/lib/x86_64-linux-gnu/libtiff.so* mr,

 /usr/lib/x86_64-linux-gnu/libtxc_dxtn_s2tc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libupnp.so* mr,

 /usr/lib/x86_64-linux-gnu/libv*.so* mr,

 /usr/lib/x86_64-linux-gnu/libv4lconvert.so* mr,

 /usr/lib/x86_64-linux-gnu/libva-x11.so* mr,

 /usr/lib/x86_64-linux-gnu/libva.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbis.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbisenc.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbisfile.so* mr,

 /usr/lib/x86_64-linux-gnu/libvpx.so* mr,

 /usr/lib/x86_64-linux-gnu/libwbclient.so* mr,

 /usr/lib/x86_64-linux-gnu/libwebp.so* mr,

 /usr/lib/x86_64-linux-gnu/libwind.so* mr,

 /usr/lib/x86_64-linux-gnu/libx264.so* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-composite.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-glx.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-keysyms.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-randr.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-render.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-shm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-xv.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libzvbi.so.* mr,

 /usr/lib/x86_64-linux-gnu/mesa/libGL.so.* mr,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/ r,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango*.modules r,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango1.0-0.modules r,

 /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-basic-fc.so mr,

 /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs*.so mr,

 /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-*.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/iconengines/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/iconengines/libqsvgicon.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqgif.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqico.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqjpeg.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqmng.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqsvg.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqtga.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqtiff.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/inputmethods/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/inputmethods/libqimsw-multi.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/menubar/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/menubar/libappmenu-qt.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/systemtrayicon/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/systemtrayicon/libsni-qt.so mr,

 /usr/lib{,32,64}/ r,

 /usr/local/share/fonts/ r,

 /usr/local/share/pixmaps/ r,

 /usr/share/X11/locale/*/Compose r,

 /usr/share/X11/locale/*/XLC_LOCALE r,

 /usr/share/X11/locale/compose.dir r,

 /usr/share/X11/locale/locale.alias r,

 /usr/share/X11/locale/locale.dir r,

 /usr/share/alsa/* r,

 /usr/share/alsa/alsa.conf.d/ r,

 /usr/share/alsa/alsa.conf.d/50-pulseaudio.conf r,

 /usr/share/alsa/alsa.conf.d/bluetooth.conf r,

 /usr/share/alsa/alsa.conf.d/pulse.conf r,

 /usr/share/alsa/cards/aliases.conf r,

 /usr/share/alsa/pcm/default.conf r,

 /usr/share/fonts/ r,

 /usr/share/fonts/** r,

 /usr/share/glib-2.0/schemas/gschemas.compiled r,

 /usr/share/gvfs/remote-volume-monitors/ r,

 /usr/share/gvfs/remote-volume-monitors/*.monitor r,

 /usr/share/icons/ r,

 /usr/share/icons/** rk,

 /usr/share/libthai/* r,

 /usr/share/mime/mime.cache r,

 /usr/share/pixmaps/ r,

 /usr/share/poppler/cMap/*/ r,

 /usr/share/themes/** r,

 /var/cache/** mr,

 /var/lib/dbus/machine-id r,

 /var/lib/defoma/fontconfig.d/* r,

 profile /bin/dash {

 

   /bin/dash mr,

   /etc/ld.so.cache r,

   /etc/nsswitch.conf r,

   /etc/passwd r,

   /home/*/.config/dconf/user r,

   /lib/x86_64-linux-gnu/ld-*.so r,

   /lib/x86_64-linux-gnu/libc-*.so* mr,

   /run/user/*/dconf/user rw,

   /usr/lib/x86_64-linux-gnu/libproxy/*/pxgsettings rix,

   /usr/share/glib-2.0/schemas/gschemas.compiled r,

 

 }

 

 profile /usr/bin/xdg-screensaver {

   #include <abstractions/ubuntu-konsole>

 

   capability sys_ptrace,

   /bin/cat rix,

   /bin/dash rix,

   /bin/grep rix,

   /bin/hostname rix,

   /bin/ln rix,

   /bin/mktemp rix,

   /bin/mv rix,

   /bin/ps rix,

   /bin/rm rix,

   /bin/sed rix,

   /bin/sleep rix,

   /bin/which rix,

   /home/*/.Xauthority r,

   /proc/ r,

   /proc/*/mounts r,

   /proc/*/stat r,

   /proc/*/status r,

   /proc/cpuinfo r,

   /proc/filesystems r,

   /proc/meminfo r,

   /proc/stat r,

   /proc/sys/kernel/pid_max r,

   /proc/tty/drivers r,

   /proc/uptime r,

   /tmp/* rw,

   /usr/bin/cut rix,

   /usr/bin/dbus-send rix,

   /usr/bin/gnome-screensaver-command rix,

   /usr/bin/xdg-screensaver r,

   /usr/bin/xprop rix,

   /usr/bin/xset rix,

 

 }

}

2 thoughts on “VLC Apparmor Profile

  1. This breaks VLC for me on Ubuntu 12.04 64bit. Giving decoder errors

    The missing bits are:

    name=”/usr/share/locale/en_GB/LC_MESSAGES/vlc.mo” pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3″ pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3″ pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/share/locale-langpack/en_GB/LC_MESSAGES/libc.mo” pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/lib/libmatroska.so.5″ pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/lib/libmatroska.so.5″ pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/lib/x86_64-linux-gnu/libpulsecommon-1.1.so” pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/lib/x86_64-linux-gnu/libpulsecommon-1.1.so” pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0
    name=”/usr/lib/libupnp.so.3.0.5″ pid=11111 comm=”vlc” requested_mask=”r” denied_mask=”r” fsuid=1000 ouid=0

    • Seems like we have different settings, I don’t think I use matroska. But good to know. You can simply add those libraries to the apparmor profile with mr, and you should have a working profile.

Leave a Reply

Your email address will not be published. Required fields are marked *