apparmor.d/dists/ubuntu/abstractions/gio-open

58 lines
1.5 KiB
Plaintext
Raw Normal View History

# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gio directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gio rPx -> foo//gio-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gio-open {
# include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
include <abstractions/base>
include <abstractions/dbus-session-strict>
# Main executables
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# System files
/etc/gnome/defaults.list r,
/usr/share/mime/* r,
/usr/share/{,*/}applications/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/applications/{,**} r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/gio-open.d>