From 2b9bdf80bb30ebcd1b964f638a13ded2b8ccd141 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Mon, 3 Jul 2017 07:07:16 +0000
Subject: [PATCH] Totem: update to
 https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/310120.

---
 profiles/abstractions/totem       | 19 ++++++++++++++++---
 profiles/usr.bin.totem            | 11 +++++++++--
 profiles/usr.bin.totem-previewers | 10 ++++++----
 3 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/profiles/abstractions/totem b/profiles/abstractions/totem
index 23eb217..09cc8bb 100644
--- a/profiles/abstractions/totem
+++ b/profiles/abstractions/totem
@@ -30,13 +30,26 @@
 
   /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
 
-  owner @{HOME}/.cache/tracker/meta.db k,
-  owner @{HOME}/.cache/tracker/meta.db-shm k,
-  owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm} k,
+  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
+  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
+  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
+  owner @{HOME}/.cache/thumbnails/** rw,
+  owner @{HOME}/.cache/totem/** rwk,
+  owner @{HOME}/.cache/totem-* rwk,
+  owner @{HOME}/.cache/tracker/db-locale.txt r,
+  owner @{HOME}/.cache/tracker/meta.db{,-shm,-journal,-wal} rwk,
+  owner @{HOME}/.cache/tracker/ontologies.gvdb r,
+  owner @{HOME}/.config/totem/ rwk,
+  owner @{HOME}/.config/totem/** rwk,
+  owner @{HOME}/.local/share/grilo-plugins/ rwk,
+  owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
+  owner @{HOME}/.local/share/gvfs-metadata/** r,
+  owner @{HOME}/.local/share/totem/ rwk,
 
   owner @{PROC}/@{pid}/status r,
 
   /run/udev/data/c* r,
   /run/udev/data/+drm:card* r,
+  /run/udev/data/+usb* r,
 
   /sys/devices/system/node/*/meminfo r,
diff --git a/profiles/usr.bin.totem b/profiles/usr.bin.totem
index 1455256..744d2fe 100644
--- a/profiles/usr.bin.totem
+++ b/profiles/usr.bin.totem
@@ -6,6 +6,7 @@
 /usr/bin/totem {
   #include <abstractions/audio>
   #include <abstractions/dconf>
+  #include <abstractions/ibus>
   #include <abstractions/python>
   #include <abstractions/totem>
 
@@ -14,18 +15,24 @@
 
   /usr/bin/totem r,
   /usr/bin/totem-video-thumbnailer Pix,
+  /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
   /dev/sr* r,
 
-  # Allow read and write on anything in @{HOME}. Lenient, but
+  # Quiet logs
+  deny /{usr/,}lib/@{multiarch}/totem/plugins/*/__pycache__/ w,
+
+  # Allow read and write on almost anything in @{HOME}. Lenient, but
   # private-files-strict is in effect.
   #include <abstractions/private-files-strict>
-  owner @{HOME}/** rw,
+  owner @{HOME}/[^.]*    rw,
+  owner @{HOME}/[^.]*/** rw,
 
   owner /{,var/}run/user/*/dconf/user w,
   owner /{,var/}run/user/*/at-spi2-*/   rw,
   owner /{,var/}run/user/*/at-spi2-*/** rw,
 
   /sys/devices/pci[0-9]*/**/config r,
+  /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.totem>
diff --git a/profiles/usr.bin.totem-previewers b/profiles/usr.bin.totem-previewers
index 71f759c..b08af56 100644
--- a/profiles/usr.bin.totem-previewers
+++ b/profiles/usr.bin.totem-previewers
@@ -6,16 +6,17 @@
 /usr/bin/totem-video-thumbnailer {
   #include <abstractions/totem>
 
-  # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+  # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
   #include <abstractions/private-files-strict>
-  owner @{HOME}/** r,
+  owner @{HOME}/[^.]*    rw,
+  owner @{HOME}/[^.]*/** rw,
 
   # Not needed by nautilus, but maybe other applications
   owner /**.[pP][nN][gG] w,
   owner /**.[jJ][pP]{,[eE]}[gG] w,
 
-  /usr/bin/totem-video-thumbnailer r,
+  /usr/bin/totem-video-thumbnailer rm,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.totem-previewers>
@@ -28,7 +29,8 @@
   # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
   # effect.
   #include <abstractions/private-files-strict>
-  owner @{HOME}/** r,
+  owner @{HOME}/[^.]*    rw,
+  owner @{HOME}/[^.]*/** rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.totem-previewers>
-- 
GitLab