From 042e9ff543ef6c253c1369f4cf6550388f202184 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Mar 2024 22:37:59 +0000 Subject: [PATCH] feat(profile): rewrite the okular profile. --- apparmor.d/groups/apps/okular | 124 ---------------------------------- apparmor.d/groups/kde/okular | 67 ++++++++++++++++++ dists/flags/main.flags | 2 +- 3 files changed, 68 insertions(+), 125 deletions(-) delete mode 100644 apparmor.d/groups/apps/okular create mode 100644 apparmor.d/groups/kde/okular diff --git a/apparmor.d/groups/apps/okular b/apparmor.d/groups/apps/okular deleted file mode 100644 index f74153d0..00000000 --- a/apparmor.d/groups/apps/okular +++ /dev/null @@ -1,124 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{okular_ext} = [pP][dD][fF] - -@{exec_path} = @{bin}/okular -profile okular @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - @{exec_path} mr, - - # Which media files Okular should be able to open - / r, - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - /tmp/ r, - /tmp/mozilla_*/ r, - owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw, - - owner @{user_config_dirs}/#@{int} rw, - - owner @{user_config_dirs}/okularrc rw, - owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#@{int}, - - owner @{user_config_dirs}/okularpartrc rw, - owner @{user_config_dirs}/okularpartrc.lock rwk, - owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#@{int}, - - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwalletrc r, - - owner @{user_share_dirs}/okular/{,**} rw, - - owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/okular/{,**} rw, - - /usr/share/okular/{,**} r, - /usr/share/kxmlgui5/okular/{,*} r, - - /usr/share/poppler/** r, - /usr/share/hwdata/pnp.ids r, - - /etc/xdg/ui/ui_standards.rc r, - - @{PROC}/sys/kernel/core_pattern r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - - /dev/shm/#@{int} rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Search phrase in google - @{bin}/xdg-open rCx -> open, - /usr/share/kservices5/searchproviders/{,*.desktop} r, - /usr/share/kservices5/{,*.protocol} r, - /etc/xdg/kshorturifilterrc r, - - # Print to pdf - @{bin}/ps2pdf rPUx, - owner /tmp/@{hex} rw, - owner /tmp/#@{int} rw, - owner /tmp/okular_*.ps rwl -> /tmp/#@{int}, - - # About - /usr/share/kf{5,6}/licenses/GPL_V2 r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - - include if exists -} diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular new file mode 100644 index 00000000..5bb7f910 --- /dev/null +++ b/apparmor.d/groups/kde/okular @@ -0,0 +1,67 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/okular +profile okular @{exec_path} { + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/ps2pdf rPUx, + + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgcon rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, + + @{open_path} rPx -> child-open, + + /usr/share/color-schemes/{,**} r, + /usr/share/okular/{,**} r, + /usr/share/poppler/{,**} r, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/okularpartrc rw, + owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/okularpartrc.lock rwk, + owner @{user_config_dirs}/okularrc rw, + owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/okularrc.lock rwk, + + owner @{user_share_dirs}/okular/ rw, + owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, + + owner @{user_cache_dirs}/okular/{,**} rw, + + owner /tmp/#@{int} rw, + owner /tmp/okular_@{rand6}.ps rwl -> /tmp/#@{int}, + + @{PROC}/sys/kernel/core_pattern r, + + profile gpg { + include + + @{bin}/gpg{,2} mr, + @{bin}/gpgcon mr, + @{bin}/gpgsm mr, + + owner @{run}/user/@{uid}/ r, + owner @{run}/user/@{uid}/gnupg/ r, + + include if exists + } + + include if exists +} diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cf848a5d..b736cd02 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -253,7 +253,7 @@ nmcli complain nullmailer-send complain nvidia-detector complain nvidia-persistenced complain -org.gnome.NautilusPreviewer complain +okular complain os-prober attach_disconnected,complain package-data-downloader complain packagekitd attach_disconnected,complain