Apparmor rule for nomachine’s free NX server and Hardy Heron

I had a bit of time today so I generated an Apparmor rule for NoMachine’s free NX server for linux. Its a bit ruff and ready but it does work. Might go back to tidy it up a bit when I’ve got more time on my hands. Tested on Ubuntu Hardy Heron 8.04 using the following nx versions :
-rw-r--r-- 1 billy billy 3860030 2008-07-15 13:29 nxclient_3.2.0-9_i386.deb
-rw-r--r-- 1 billy billy 6246394 2008-07-15 13:30 nxnode_3.2.0-11_i386.deb
-rw-r--r-- 1 billy billy 6701004 2008-07-15 13:30 nxserver_3.2.0-13_i386.deb

Updated Sunday 24th May 2009
#
#
# Copyright (C) Billy Dickson 24/05/2009
#
# Filename: /etc/apparmor.d/usr.NX.bin.nxserver
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
#
# Last Modified: Fri Jun 11 21:01:30 2009
#

#include <tunables/global>

/usr/NX/bin/nxserver {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>

capability dac_override,
capability sys_tty_config,

/bin/bash ixr,
/bin/date ixr,
/bin/hostname ixr,
/bin/netstat ixr,
/bin/ps ixr,
/bin/stty ixr,
/bin/su ixr,
/dev/tty rw,
/etc/pam.d/other r,
/etc/pam.d/su r,
/home/*/.bashrc r,
/home/*/.profile r,
/usr/NX/bin/nxserver mr,
/usr/NX/bin/nxssh ixr,
/usr/NX/etc/* r,
/usr/NX/etc/administrators.db.lock krw,
/usr/NX/etc/guests.db.lock krw,
/usr/NX/etc/keys/node.localhost.id_dsa r,
/usr/NX/etc/keys/node.localhost.id_dsa.pub r,
/usr/NX/etc/users.db r,
/usr/NX/etc/users.db.lock krw,
/usr/NX/home/nx/** rwl,
/usr/NX/lib/lib*so* mr,
/usr/NX/lib/perl/* mr,
/usr/NX/lib/perl/include/** r,
/usr/NX/lib/perl/libperl.so mr,
/usr/NX/var/db/** klrw,
/usr/bin/mesg ixr,
/usr/bin/expr ixr,
/usr/bin/cut ixr,
/usr/bin/getent ixr,
/usr/share/locale-langpack/** r,
@{PROC}/ r,
@{PROC}/** r,
}

Always remember to reload apparmor when you change/add rules

sudo /etc/init.d/apparmor reload

Leave a Reply