I have a profile for VLC that works on 64bit Ubuntu with no abstractions. If you’re on another distro or not 64bit, just add <abstraction/base> and remove all of the libraries.

I built this a long time ago to see how annoying it would be to remove abstractions, so it may not be perfect, I haven’t looked at it in a while, but I know it runs fine on my system.

Decided to post it because of a recent writeup about a VLC exploit, here.

# Last Modified: Sat Sep  7 23:23:17 2013

#include <tunables/global>

 

/usr/bin/vlc {

 deny network inet dgram,

 deny /etc/apparmor.d/abstractions/base r,

 

 / r,

 /bin/dash rCx,

 /dev/ r,

 /dev/ati/card* rw,

 /dev/dri/card* rw,

 /dev/null rw,

 /dev/snd/ r,

 /dev/snd/control* rw,

 /dev/tty rw,

 /dev/urandom r,

 /etc/drirc r,

 /etc/fonts/** r,

 /etc/gai.conf r,

 /etc/host.conf r,

 /etc/hosts r,

 /etc/ld.so.cache r,

 /etc/locale.alias r,

 /etc/localtime r,

 /etc/nsswitch.conf r,

 /etc/passwd r,

 /etc/pkcs11/modules/ r,

 /etc/pkcs11/modules/gnome-keyring.module r,

 /etc/pulse/client.conf r,

 /etc/services r,

 /etc/ssl/certs/ca-certificates.crt r,

 /etc/xdg/Trolltech.conf rk,

 /etc/xdg/sni-qt.conf rk,

 /home/ r,

 /home/*/* r,

 /home/*/.config/ rw,

 /home/*/.config/** rk,

 /home/*/.config/Trolltech.conf* rwk,

 /home/*/.config/gtk-*/gtkfilechooser.ini* rw,

 /home/*/.config/vlc/ rw,

 /home/*/.config/vlc/** rwk,

 /home/*/.dbus/ w,

 /home/*/.dbus/session-bus/ w,

 /home/*/.dbus/session-bus/* w,

 /home/*/.local/ w,

 /home/*/.local/share/ w,

 /home/*/.local/share/* rw,

 /home/*/.local/share/icons/ r,

 /home/*/.local/share/icons/hicolor/**/ r,

 /home/*/.local/share/mime/* r,

 /home/*/.local/share/vlc/ rw,

 /home/*/.local/share/vlc/* rw,

 /home/*/.local/share/vlc/*/ rw,

 /home/*/.pulse-cookie rwk,

 /home/*/.pulse/ r,

 /home/*/Documents/ r,

 /home/*/Documents/** rwk,

 /home/*/Downloads/ r,

 /home/*/Downloads/** rwk,

 /home/*/Videos/** rwk,

 /lib/libnss_mdns4.so* mr,

 /lib/libnss_mdns4_minimal.so* mr,

 /lib/x86_64-linux-gnu/ld-*.so mr,

 /lib/x86_64-linux-gnu/libbz2.so.* mr,

 /lib/x86_64-linux-gnu/libc-*.so mr,

 /lib/x86_64-linux-gnu/libcap.so.* mr,

 /lib/x86_64-linux-gnu/libcom_err.so.* mr,

 /lib/x86_64-linux-gnu/libcrypt-*.so mr,

 /lib/x86_64-linux-gnu/libdbus-*.so* mr,

 /lib/x86_64-linux-gnu/libdl-*so mr,

 /lib/x86_64-linux-gnu/libexpat.so.* mr,

 /lib/x86_64-linux-gnu/libgcc_s.so.* mr,

 /lib/x86_64-linux-gnu/libgcrypt.so.* mr,

 /lib/x86_64-linux-gnu/libglib-2.0.so.* mr,

 /lib/x86_64-linux-gnu/libgpg-error.so.* mr,

 /lib/x86_64-linux-gnu/libjson.so.* mr,

 /lib/x86_64-linux-gnu/libkeyutils.so.* mr,

 /lib/x86_64-linux-gnu/liblzma.so.* mr,

 /lib/x86_64-linux-gnu/libm-*so mr,

 /lib/x86_64-linux-gnu/libncurses.so.* mr,

 /lib/x86_64-linux-gnu/libncursesw.so.* mr,

 /lib/x86_64-linux-gnu/libnsl-*.so mr,

 /lib/x86_64-linux-gnu/libnss_compat-*.so mr,

 /lib/x86_64-linux-gnu/libnss_dns-*.so mr,

 /lib/x86_64-linux-gnu/libnss_files-*.so mr,

 /lib/x86_64-linux-gnu/libnss_nis-*.so mr,

 /lib/x86_64-linux-gnu/libpcre.so.* mr,

 /lib/x86_64-linux-gnu/libpng*.so.* mr,

 /lib/x86_64-linux-gnu/libpthread-*so mr,

 /lib/x86_64-linux-gnu/libresolv-*.so mr,

 /lib/x86_64-linux-gnu/librt-*so mr,

 /lib/x86_64-linux-gnu/libselinux.so.* mr,

 /lib/x86_64-linux-gnu/libslang.so.* mr,

 /lib/x86_64-linux-gnu/libtinfo.so.* mr,

 /lib/x86_64-linux-gnu/libudev.so.* mr,

 /lib/x86_64-linux-gnu/libusb-*.so.* mr,

 /lib/x86_64-linux-gnu/libuuid.so.* mr,

 /lib/x86_64-linux-gnu/libwrap.so.* mr,

 /lib/x86_64-linux-gnu/libz.so.* mr,

 /media/** rwk,

 /proc/ r,

 /proc/*/auxv r,

 /proc/*/cmdline r,

 /proc/*/fd/ r,

 /proc/*/maps r,

 /proc/*/stat r,

 /proc/*/status r,

 /proc/ati/ r,

 /proc/filesystems r,

 /proc/meminfo r,

 /proc/modules r,

 /proc/sys/kernel/pid_max r,

 /proc/sys/vm/overcommit_memory r,

 /proc/uptime r,

 /run/resolvconf/resolv.conf r,

 /run/shm/ r,

 /run/shm/pulse-shm-* rw,

 /run/user/*/dconf/user rw,

 /sys/devices/system/*/ r,

 /sys/devices/system/cpu/online r,

 owner /tmp/** rw,

 /usr/bin/vlc r,

 /usr/bin/xdg-screensaver Cx,

 /usr/lib/fglrx/libGL.so.* mr,

 /usr/lib/fglrx/libatiuki.so.* mr,

 /usr/lib/liba*-*.so* mr,

 /usr/lib/libcddb.so* mr,

 /usr/lib/libcdio.so* mr,

 /usr/lib/libdca.so* mr,

 /usr/lib/libdvbpsi.so* mr,

 /usr/lib/libenca.so* mr,

 /usr/lib/libiso9660.so* mr,

 /usr/lib/libkate.so* mr,

 /usr/lib/liblirc_client.so* mr,

 /usr/lib/libmodplug.so* mr,

 /usr/lib/libmpcdec.so* mr,

 /usr/lib/libresid-builder.so* mr,

 /usr/lib/libsidplay2.so* mr,

 /usr/lib/libtar.so* mr,

 /usr/lib/libtwolame.so* mr,

 /usr/lib/libvcdinfo.so* mr,

 /usr/lib/libvlc.so* mr,

 /usr/lib/libvlccore.so* mr,

 /usr/lib/locale/locale-archive r,

 /usr/lib/vlc/lua/meta/reader/ r,

 /usr/lib/vlc/lua/meta/reader/filename.luac r,

 /usr/lib/vlc/lua/modules/simplexml.luac r,

 /usr/lib/vlc/lua/playlist/ r,

 /usr/lib/vlc/lua/playlist/* r,

 /usr/lib/vlc/plugins/ r,

 /usr/lib/vlc/plugins/*/ r,

 /usr/lib/vlc/plugins/*/lib*.so mr,

 /usr/lib/vlc/plugins/plugins.dat* rw,

 /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_conf_pulse.so mr,

 /usr/lib/x86_64-linux-gnu/dri/r*_dri.so mr,

 /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/CP*.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/UTF-*.so mr,

 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mr,

 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders.cache mr,

 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-*/*/loaders/lib*.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/ r,

 /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache r,

 /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so mr,

 /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/engines/libmurrine.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/gtk.immodules r,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/immodules/im-ibus.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/*/menuproxies/libappmenu.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/modules/libcanberra-gtk-module.so mr,

 /usr/lib/x86_64-linux-gnu/gtk-*/modules/liboverlay-scrollbar.so mr,

 /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so mr,

 /usr/lib/x86_64-linux-gnu/libFLAC.so.* mr,

 /usr/lib/x86_64-linux-gnu/libICE.so.* mr,

 /usr/lib/x86_64-linux-gnu/libLLVM-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtCore.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtDBus.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtGui.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtSvg.so.* mr,

 /usr/lib/x86_64-linux-gnu/libQtXml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSDL-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSDL_image-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libSM.so.* mr,

 /usr/lib/x86_64-linux-gnu/libX11-xcb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libX11.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXau.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXcomposite.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXcursor.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXdamage.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXdmcp.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXext.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXfixes.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXinerama.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXpm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXrandr.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXrender.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXt.so.* mr,

 /usr/lib/x86_64-linux-gnu/libXxf86vm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libaa.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasn1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasound.so.* mr,

 /usr/lib/x86_64-linux-gnu/libass.so.* mr,

 /usr/lib/x86_64-linux-gnu/libasyncns.so.* mr,

 /usr/lib/x86_64-linux-gnu/libatk-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libaudio.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavahi-client.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavahi-common.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavc*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavcodec.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavformat.so.* mr,

 /usr/lib/x86_64-linux-gnu/libavutil.so.* mr,

 /usr/lib/x86_64-linux-gnu/libbluray.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcaca.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcairo.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcanberra-gtk.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcanberra.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcroco-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libcrystalhd.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdatrie.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-gtk.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdbusmenu-qt.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdc*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirac_encoder.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirect-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdirectfb-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdricore*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdrm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdrm_radeon.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdvdnav.so.* mr,

 /usr/lib/x86_64-linux-gnu/libdvdread.so.* mr,

 /usr/lib/x86_64-linux-gnu/libebml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfaad.so.* mr,

 /usr/lib/x86_64-linux-gnu/libffi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfontconfig.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfreetype.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfribidi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libfusion-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgallium.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgconf-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgdk-x11-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgio-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libglapi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgmodule-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgnutls.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgobject-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgpm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgsm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgssapi.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.* mr,

 /usr/lib/x86_64-linux-gnu/libgtk-x11-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libharfbuzz.so.* mr,

 /usr/lib/x86_64-linux-gnu/libhcrypto.so.* mr,

 /usr/lib/x86_64-linux-gnu/libheimbase.so.* mr,

 /usr/lib/x86_64-linux-gnu/libheimntlm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libhx509.so.* mr,

 /usr/lib/x86_64-linux-gnu/libibus-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicudata.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicui18n.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicule.so.* mr,

 /usr/lib/x86_64-linux-gnu/libicuuc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libixml.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjbig.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjpeg.so.* mr,

 /usr/lib/x86_64-linux-gnu/libjson.so.* mr,

 /usr/lib/x86_64-linux-gnu/libk5crypto.so.* mr,

 /usr/lib/x86_64-linux-gnu/libkrb5.so.* mr,

 /usr/lib/x86_64-linux-gnu/libkrb5support.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblber-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblcms.so.* mr,

 /usr/lib/x86_64-linux-gnu/libldap_r-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libltdl.so.* mr,

 /usr/lib/x86_64-linux-gnu/liblua5.1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmad.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmatroska.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmng.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmpeg*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libmtp.so.* mr,

 /usr/lib/x86_64-linux-gnu/libnotify.so.* mr,

 /usr/lib/x86_64-linux-gnu/libogg.so* mr,

 /usr/lib/x86_64-linux-gnu/libopus.so.* mr,

 /usr/lib/x86_64-linux-gnu/liborc-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libp11-kit.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpango-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpangocairo-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpangoft2-*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpixman-1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpostproc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libproxy.so.* mr,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/ r,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/config_gnome*.so mr,

 /usr/lib/x86_64-linux-gnu/libproxy/*/modules/network_networkmanager.so mr,

 /usr/lib/x86_64-linux-gnu/libpulse-simple.so.* mr,

 /usr/lib/x86_64-linux-gnu/libpulse.so.* mr,

 /usr/lib/x86_64-linux-gnu/libraw*.so.* mr,

 /usr/lib/x86_64-linux-gnu/libroken.so.* mr,

 /usr/lib/x86_64-linux-gnu/librom*.so.* mr,

 /usr/lib/x86_64-linux-gnu/librsvg-2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsamplerate.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsasl2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libschroedinger-*.so* mr,

 /usr/lib/x86_64-linux-gnu/libshout.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsmbclient.so.* mr,

 /usr/lib/x86_64-linux-gnu/libsndfile.so.* mr,

 /usr/lib/x86_64-linux-gnu/libspeex.so* mr,

 /usr/lib/x86_64-linux-gnu/libspeexdsp.so* mr,

 /usr/lib/x86_64-linux-gnu/libsqlite3.so* mr,

 /usr/lib/x86_64-linux-gnu/libssh2.so* mr,

 /usr/lib/x86_64-linux-gnu/libstdc*.so* mr,

 /usr/lib/x86_64-linux-gnu/libswscale.so* mr,

 /usr/lib/x86_64-linux-gnu/libtag.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtalloc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtasn1.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtdb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libthai.so.* mr,

 /usr/lib/x86_64-linux-gnu/libtheora.so* mr,

 /usr/lib/x86_64-linux-gnu/libtheoradec.so* mr,

 /usr/lib/x86_64-linux-gnu/libtheoraenc.so* mr,

 /usr/lib/x86_64-linux-gnu/libthreadutil.so* mr,

 /usr/lib/x86_64-linux-gnu/libtiff.so* mr,

 /usr/lib/x86_64-linux-gnu/libtxc_dxtn_s2tc.so.* mr,

 /usr/lib/x86_64-linux-gnu/libupnp.so* mr,

 /usr/lib/x86_64-linux-gnu/libv*.so* mr,

 /usr/lib/x86_64-linux-gnu/libv4lconvert.so* mr,

 /usr/lib/x86_64-linux-gnu/libva-x11.so* mr,

 /usr/lib/x86_64-linux-gnu/libva.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbis.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbisenc.so* mr,

 /usr/lib/x86_64-linux-gnu/libvorbisfile.so* mr,

 /usr/lib/x86_64-linux-gnu/libvpx.so* mr,

 /usr/lib/x86_64-linux-gnu/libwbclient.so* mr,

 /usr/lib/x86_64-linux-gnu/libwebp.so* mr,

 /usr/lib/x86_64-linux-gnu/libwind.so* mr,

 /usr/lib/x86_64-linux-gnu/libx264.so* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-composite.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-dri2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-glx.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-keysyms.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-randr.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-render.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-shm.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb-xv.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxcb.so.* mr,

 /usr/lib/x86_64-linux-gnu/libxml2.so.* mr,

 /usr/lib/x86_64-linux-gnu/libzvbi.so.* mr,

 /usr/lib/x86_64-linux-gnu/mesa/libGL.so.* mr,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/ r,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango*.modules r,

 /usr/lib/x86_64-linux-gnu/pango/*/module-files.d/libpango1.0-0.modules r,

 /usr/lib/x86_64-linux-gnu/pango/*/modules/pango-basic-fc.so mr,

 /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs*.so mr,

 /usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-*.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/iconengines/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/iconengines/libqsvgicon.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqgif.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqico.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqjpeg.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqmng.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqsvg.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqtga.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/imageformats/libqtiff.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/inputmethods/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/inputmethods/libqimsw-multi.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/menubar/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/menubar/libappmenu-qt.so mr,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/systemtrayicon/ r,

 /usr/lib/x86_64-linux-gnu/qt4/plugins/systemtrayicon/libsni-qt.so mr,

 /usr/lib{,32,64}/ r,

 /usr/local/share/fonts/ r,

 /usr/local/share/pixmaps/ r,

 /usr/share/X11/locale/*/Compose r,

 /usr/share/X11/locale/*/XLC_LOCALE r,

 /usr/share/X11/locale/compose.dir r,

 /usr/share/X11/locale/locale.alias r,

 /usr/share/X11/locale/locale.dir r,

 /usr/share/alsa/* r,

 /usr/share/alsa/alsa.conf.d/ r,

 /usr/share/alsa/alsa.conf.d/50-pulseaudio.conf r,

 /usr/share/alsa/alsa.conf.d/bluetooth.conf r,

 /usr/share/alsa/alsa.conf.d/pulse.conf r,

 /usr/share/alsa/cards/aliases.conf r,

 /usr/share/alsa/pcm/default.conf r,

 /usr/share/fonts/ r,

 /usr/share/fonts/** r,

 /usr/share/glib-2.0/schemas/gschemas.compiled r,

 /usr/share/gvfs/remote-volume-monitors/ r,

 /usr/share/gvfs/remote-volume-monitors/*.monitor r,

 /usr/share/icons/ r,

 /usr/share/icons/** rk,

 /usr/share/libthai/* r,

 /usr/share/mime/mime.cache r,

 /usr/share/pixmaps/ r,

 /usr/share/poppler/cMap/*/ r,

 /usr/share/themes/** r,

 /var/cache/** mr,

 /var/lib/dbus/machine-id r,

 /var/lib/defoma/fontconfig.d/* r,

 profile /bin/dash {

 

   /bin/dash mr,

   /etc/ld.so.cache r,

   /etc/nsswitch.conf r,

   /etc/passwd r,

   /home/*/.config/dconf/user r,

   /lib/x86_64-linux-gnu/ld-*.so r,

   /lib/x86_64-linux-gnu/libc-*.so* mr,

   /run/user/*/dconf/user rw,

   /usr/lib/x86_64-linux-gnu/libproxy/*/pxgsettings rix,

   /usr/share/glib-2.0/schemas/gschemas.compiled r,

 

 }

 

 profile /usr/bin/xdg-screensaver {

   #include <abstractions/ubuntu-konsole>

 

   capability sys_ptrace,

   /bin/cat rix,

   /bin/dash rix,

   /bin/grep rix,

   /bin/hostname rix,

   /bin/ln rix,

   /bin/mktemp rix,

   /bin/mv rix,

   /bin/ps rix,

   /bin/rm rix,

   /bin/sed rix,

   /bin/sleep rix,

   /bin/which rix,

   /home/*/.Xauthority r,

   /proc/ r,

   /proc/*/mounts r,

   /proc/*/stat r,

   /proc/*/status r,

   /proc/cpuinfo r,

   /proc/filesystems r,

   /proc/meminfo r,

   /proc/stat r,

   /proc/sys/kernel/pid_max r,

   /proc/tty/drivers r,

   /proc/uptime r,

   /tmp/* rw,

   /usr/bin/cut rix,

   /usr/bin/dbus-send rix,

   /usr/bin/gnome-screensaver-command rix,

   /usr/bin/xdg-screensaver r,

   /usr/bin/xprop rix,

   /usr/bin/xset rix,

 

 }

}

For the last couple of weeks I’ve been using HTTPSwitchBoard. It’s reminiscent of NoScript or Request Policy on Firefox, but has a wonderful and intuitive user interface. The goal of the extension is to allow users to control what content is loaded on their webpages. It intercepts request for content and displays them to the user, allowing them to decide which they would like to allow. It is the first ‘script control’ or ‘content control’ extension that I have used on Chrome that has a decent user interface and isn’t totally broken. And, it works – it passes various Javascript tests.

As you can see in the above screenshot you get quite a lot of information about what a website needs. In this case I’m creating a whitelist of content for http://www.insanitybit.com and any third party content loaded onto it.

Creating the whitelist is simple, and you can get quite strict with the settings.

As you can see I’ve opened up a ‘list’ in the top left, that list determines where these rules apply. By default it apples to “*”, which means that whatever I whitelist will be whitelisted on all sites (that don’t have more specific rules). I can also do http://*.insanitybit.com, which means if there’s a forum.insanitybit.com the whitelist applies. Or, in this case, I’ve limited the rules to http://www.insanitybit.com. This is a wonderful feature. I, for example, have globally whitelisted imgur.com, because it’s loaded on so many sites. I can then also have my Facebook rules apply only to Facebook, leaving it blocked by default on all other sites. Very simple, very powerful.

Scripting control extensions have suffered in the past due to Chrome not allowing developers access to powerful APIs. The developer solved this by having all script control handled by Content Security Policy, and modifying the header before the request is made, thus disallowing Javascript reliably.

I like the extension a lot – while I am not really worried at all about security on my system, I find it much faster than Adblock Plus, simple to use, and I enjoy being able to control the content on webpages.

The developer is very responsive and all of the code is on GIT, which is wonderful.

You can find HTTP Switchboard on the Chrome webstore here:

https://chrome.google.com/webstore/detail/http-switchboard/mghdpehejfekicfjcdbfofhcmnjhgaag