java (3829B)
- # vim:syntax=apparmor
- abi <abi/3.0>,
- # Java plugin
- owner @{HOME}/.java/deployment/deployment.properties k,
- /etc/java-*/ r,
- /etc/java-*/** r,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}lib/*/IcedTeaPlugin.so mr,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}lib/*/IcedTeaPlugin.so mr,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java cx -> browser_openjdk,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java cx -> browser_openjdk,
- /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
- /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
- /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
- owner /{,var/}run/user/*/icedteaplugin-*/ rw,
- owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
- # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
- # unfortunate workarounds of the proprietary Javas, so have a separate
- # profile.
- profile browser_openjdk {
- include <abstractions/base>
- include <abstractions/fonts>
- include <abstractions/gnome>
- include <abstractions/kde>
- include <abstractions/nameservice>
- include <abstractions/ssl_certs>
- include <abstractions/user-tmp>
- include <abstractions/private-files-strict>
- network inet stream,
- network inet6 stream,
- @{PROC}/@{pid}/net/if_inet6 r,
- @{PROC}/@{pid}/net/ipv6_route r,
- /etc/java-*/ r,
- /etc/java-*/** r,
- /etc/lsb-release r,
- /etc/ssl/certs/java/* r,
- /etc/timezone r,
- @{PROC}/@{pid}/ r,
- @{PROC}/@{pid}/fd/ r,
- @{PROC}/filesystems r,
- @{sys}/devices/system/cpu/ r,
- @{sys}/devices/system/cpu/** r,
- /usr/share/** r,
- /var/lib/dbus/machine-id r,
- /usr/bin/env ix,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk/{,jre/}bin/java ix,
- /usr/lib/jvm/java-[1-9]{,[0-9]}-openjdk-{amd64,armel,armhf,i386,powerpc}/{,jre/}bin/java ix,
- /usr/lib/jvm/java-{6,7}-openjdk*/jre/lib/i386/client/classes.jsa m,
- # Why would java need this?
- deny /usr/bin/gconftool-2 x,
- owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-appletviewer-to-plugin rw,
- owner /{,var/}run/user/[0-9]*/icedteaplugin-*-*/[0-9]*-icedteanp-plugin-{,debug-}to-appletviewer r,
- owner @{HOME}/ r,
- owner @{HOME}/** rwk,
- }
- # Profile for commercial Javas. These need workarounds to work right (eg
- # Sun's forcing of an executable stack (LP: #535247)).
- profile browser_java {
- include <abstractions/base>
- include <abstractions/fonts>
- include <abstractions/gnome>
- include <abstractions/kde>
- include <abstractions/nameservice>
- include <abstractions/ssl_certs>
- include <abstractions/user-tmp>
- include <abstractions/private-files-strict>
- network inet stream,
- network inet6 stream,
- @{PROC}/@{pid}/net/if_inet6 r,
- @{PROC}/@{pid}/net/ipv6_route r,
- @{PROC}/loadavg r,
- /etc/debian_version r,
- /etc/java-*/ r,
- /etc/java-*/** r,
- /etc/lsb-release r,
- /etc/ssl/certs/java/* r,
- /etc/timezone r,
- @{PROC}/@{pid}/ r,
- @{PROC}/@{pid}/fd/ r,
- @{PROC}/filesystems r,
- @{sys}/devices/system/cpu/ r,
- @{sys}/devices/system/cpu/** r,
- /usr/share/** r,
- /var/lib/dbus/machine-id r,
- /usr/bin/env ix,
- /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
- /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
- /usr/lib/j2*-ibm/jre/bin/java ix,
- # noisy, can't write here anyway
- deny /etc/.java/ w,
- deny /etc/.java/** w,
- deny /usr/bin/gconftool-2 x,
- owner @{HOME}/ r,
- owner @{HOME}/** rwk,
- # These are seriously unfortunate, but required due to LP: #535247
- /etc/passwd m,
- owner @{HOME}/.java/**/cache/** m,
- owner /tmp/** m,
- /usr/lib{,32,64}/jvm/**/*.jar mr,
- /usr/share/fonts/** m,
- }