Pidgin AppArmor profile: disable launchpad-integration abstraction.

That abstraction gives /usr/bin/launchpad-integration wide open access to many
files and executables; on the one hand we don't care much, since we don't ship
that binary. On the other hand, some of those wide-open rules (for example,
those about /** and /{,usr/}lib*/{,**/}*.so{,.*}) won't play well with aliases:
they make the policy needlessly hard to audit, and may increase its
compilation time.

The Pidgin profile is the only one we currently ship that includes the
launchpad-integration abstraction. Same on my current Debian sid, so we should
be good at least for Tails/Jessie (and possibly even for Tails/Stretch).

1 files changed, 12 insertions, 2 deletions

diff --git a/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff b/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff
index 91c41fa..8e180d8 100644
--- a/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff
+++ b/config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff
@@ -1,5 +1,14 @@
---- a/etc/apparmor.d/usr.bin.pidgin	2014-10-30 17:47:51.945948920 +0100
-+++ b/etc/apparmor.d/usr.bin.pidgin	2014-10-30 17:48:29.273511368 +0100
+--- a/etc/apparmor.d/usr.bin.pidgin	2015-06-04 12:37:02.453412928 +0000
++++ b/etc/apparmor.d/usr.bin.pidgin	2015-06-04 12:37:40.309205204 +0000
+@@ -11,7 +11,7 @@
+   #include <abstractions/enchant>
+   #include <abstractions/gnome>
+   #include <abstractions/ibus>
+-  #include <abstractions/launchpad-integration>
++  # #include <abstractions/launchpad-integration>
+   #include <abstractions/nameservice>
+   #include <abstractions/private-files-strict>
+   #include <abstractions/ssl_certs>
 @@ -46,6 +46,7 @@
    /usr/bin/gvfs-open rmix,
    /usr/bin/pidgin r,
@@ -8,3 +17,4 @@
  
    /usr/share/gnome/applications/ r,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
+