AppArmor Policy Groups#
This document contains a full list of Ubuntu Touch’s available policy groups and a description of what they give your app permission to access.
Each entry follows this format
Title
-----
Description: Description from apparmor file
Usage: How common it is to use this policy (from apparmor file)
Optional longer description
Policy usage affects whether your app will be accepted by the OpenStore. Apps containing policies with common usage are generally accepted immediately, while reserved usage policies will need to be manually reviewed.
Nota
Coding tip: Everytime you change your apparmor policy file you need to update your app’s version for this to be taken into account.
accounts#
Description: Can use Online Accounts.
Usage: common
The accounts policy gives your app the permissions it needs to access the Online Accounts API.
audio#
Description: Can play audio (allows playing remote content via media-hub)
Usage: common
The audio policy is needed for your app to play audio via pulseaudio or media-hub. The permission also gives it the ability to send album art to the thumbnailer service, which is then shown on the sound indicator.
bluetooth#
Description: Use bluetooth (bluez5) as an administrator.
Usage: reserved
This policy grants unrestricted access to Bluetooth devices. It is provided for administration of bluetooth and as a stepping stone towards developing a safe bluetooth API all apps can access.
calendar#
Description: Can access the calendar.
Usage: reserved
Calendar grants access to the Evolution dataserver’s calendar and alarms APIs. It also grants access to sync-monitor.
This policy is reserved since it grants free access to all calendars on the device at any time. The legacy bug about this situation is LP #1227824 .
camera#
Description: Can access the camera(s)
Usage: common
The camera policy grants access to device cameras.
connectivity#
Description: Can access coarse network connectivity information
Usage: common
The connectivity policy allows apps to determine rough information about the device’s connectivity. This includes whether the device is connected to the Internet and whether it is connected via a Wi-Fi or mobile data connection.
contacts#
Description: Can access contacts.
Usage: reserved
The contacts policy allows apps to access the device user’s contacts list. It is marked as reserved because it allows access to sync-monitor and unfettered access to the address book.
content_exchange#
Description: Can request/import data from other applications
Usage: common
Using the content_exchange policy allows your app to be a consumer of content on content-hub.
content_exchange_source#
Description: Can provide/export data to other applications
Usage: common
The content_exchange_source policy allows your app to provide content on content-hub.
debug#
Description: Use special debugging tools. This should only be used in development and not for production packages. Note: use of this policy group provides significantly different confinement than normal and is not considered secure. You should never run untrusted programs using this policy group.
Usage: reserved
document_files#
Description: Can read and write to document files. This policy group is reserved for certain applications, such as document viewers. Developers should typically use the content_exchange policy group and API to access document files instead.
Usage: reserved
This policy allows apps to read and write to the «Documents» folders in the user’s home directory and external media.
document_files_read#
Description: Can read all document files. This policy group is reserved for certain applications, such as document viewers. Developers should typically use the content_exchange policy group and API to access document files instead.
Usage: reserved
This policy allows apps to read the «Documents» folders in the user’s home directory and external media.
history#
Description: Can access the history-service. This policy group is reserved for vetted applications only in this version of the policy. A future version of the policy may move this out of reserved status.
Usage: reserved
keep-display-on#
Description: Can request keeping the screen on
Usage: common
location#
Description: Can access Location
Usage: common
Allows an app to request access to the device’s current location.
microphone#
Description: Can access the microphone
Usage: common
music_files#
Description: Can read and write to music files. This policy group is reserved for certain applications, such as music players. Developers should typically use the content_exchange policy group and API to access music files instead.
Usage: reserved
The music_files policy group allows an app to read or write to the Music directories in the user’s home folder or on external media.
music_files_read#
Description: Can read all music files. This policy group is reserved for certain applications, such as music players. Developers should typically use the content_exchange policy group and API to access music files instead.
Usage: reserved
The music_files_read policy group allows an app to read the Music directories in the user’s home folder or on external media.
networking#
Description: Can access the network
Usage: common
The networking policy group allows an app to contact network devices and use the download manager.
nfc#
Description: Can access the NFC functionality
Usage: common
The nfc policy group allows an app to read and write NFC tags via NDEF data as well as establishing a peer-to-peer connection between two devices.
picture_files#
Description: Can read and write to picture files. This policy group is reserved for certain applications, such as gallery applications. Developers should typically use the content_exchange policy group and API to access picture files instead.
Usage: reserved
The picture_files policy group allows an app to read and write to the Pictures directories in the user’s home folder or on external media.
picture_files_read#
Description: Can read all picture files. This policy group is reserved for certain applications, such as gallery applications. Developers should typically use the content_exchange policy group and API to access picture files instead.
Usage: reserved
The picture_files_read policy group allows an app to read the Pictures directories in the user’s home folder or on external media.
push-notification-client#
Description: Can use push notifications as a client
Usage: common
sensors#
Description: Can access the sensors
Usage: common
Allows apps to access device sensors
usermetrics#
Description: Can use UserMetrics to update the InfoGraphic
Usage: common
Allows an app to write metrics to the UserMetrics service so they can be displayed on the InfoGraphic.
video#
Description: Can play video (allows playing remote content via media-hub)
Usage: common
video_files#
Description: Can read and write to video files. This policy group is reserved for certain applications, such as gallery applications. Developers should typically use the content_exchange policy group and API to access video files instead.
Usage: reserved
The video_files policy group allows an app to read and write to the Videos directories in the user’s home folder or on external media.
video_files_read#
Description: Can read all video files. This policy group is reserved for certain applications, such as gallery applications. Developers should typically use the content_exchange policy group and API to access video files instead.
Usage: reserved
The video_files_read policy group allows an app to read the Videos directories in the user’s home folder or on external media.
webview#
Description: Can use the UbuntuWebview
Usage: common
The webview policy group allows apps to embed a web browser view.