# vim:syntax=apparmor # Last Modified: Tue Jun 09 14:34:12 2009 # Author: Kees Cook # Jamie Strandboge #include /usr/bin/evince flags=(complain) { #include /usr/bin/evince rmPx, /usr/bin/evince-previewer Px, # allow directory listings (ie 'r' on directories) so browsing via the file # dialog works / r, /**/ r, @{HOME}/ r, # This is need for saving files in your home directory without an extension. # Changing this to '@{HOME}/** r' makes it require an extension and more # secure (but with 'rw', we still have abstractions/private-files-strict in # effect). @{HOME}/** rw, @{HOME}/.gnome2/evince/* rwl, @{HOME}/.gnome2/accels/ rw, @{HOME}/.gnome2/accelsevince rw, @{HOME}/.gnome2/accels/evince rw, # from http://live.gnome.org/Evince/SupportedDocumentFormats. Allow # read and write for all supported file formats /**.[bB][mM][pP] rw, /**.[dD][jJ][vV][uU] rw, /**.[dD][vV][iI] rw, /**.[gG][iI][fF] rw, /**.[jJ][pP][gG] rw, /**.[jJ][pP][eE][gG] rw, /**.[oO][dD][pP] rw, /**.[pP][dD][fF] rw, /**.[pP][nN][mM] rw, /**.[pP][nN][gG] rw, /**.[pP][sS] rw, /**.[eE][pP][sS] rw, /**.[tT][iI][fF][fF] rw, /**.[xX][pP][mM] rw, /**.[gG][zZ] rw, /**.[cC][bB][rRzZ7] rw, # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the # directory a file is saved. This allows that behavior. owner /**/.goutputstream-* w, } /usr/bin/evince-previewer flags=(complain) { #include /usr/bin/evince-previewer mr, # Lenient, but remember we still have abstractions/private-files-strict in # effect). @{HOME}/ r, @{HOME}/** r, } /usr/bin/evince-thumbnailer flags=(complain) { #include /usr/bin/evince-thumbnailer mr, # Lenient, but remember we still have abstractions/private-files-strict in # effect). @{HOME}/ r, @{HOME}/** rw, }