mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
feat(profile): rewrite the okular profile.
This commit is contained in:
parent
a3f91f4224
commit
042e9ff543
@ -1,124 +0,0 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{okular_ext} = [pP][dD][fF]
|
||||
|
||||
@{exec_path} = @{bin}/okular
|
||||
profile okular @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/X>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/private-files-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/kde-icon-cache-write>
|
||||
include <abstractions/qt5-settings-write>
|
||||
include <abstractions/qt5-compose-cache-write>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
# Which media files Okular should be able to open
|
||||
/ r,
|
||||
/home/ r,
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/**/ r,
|
||||
@{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/**/ r,
|
||||
/tmp/ r,
|
||||
/tmp/mozilla_*/ r,
|
||||
owner /{home,media,tmp/mozilla_*}/**.@{okular_ext} rw,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
|
||||
owner @{user_config_dirs}/okularrc rw,
|
||||
owner @{user_config_dirs}/okularrc.lock rwk,
|
||||
owner @{user_config_dirs}/okularrc.* rwl -> @{user_config_dirs}/#@{int},
|
||||
|
||||
owner @{user_config_dirs}/okularpartrc rw,
|
||||
owner @{user_config_dirs}/okularpartrc.lock rwk,
|
||||
owner @{user_config_dirs}/okularpartrc.* rwl -> @{user_config_dirs}/#@{int},
|
||||
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
owner @{user_config_dirs}/kwalletrc r,
|
||||
|
||||
owner @{user_share_dirs}/okular/{,**} rw,
|
||||
|
||||
owner @{user_config_dirs}/qt5ct/{,**} r,
|
||||
/usr/share/qt5ct/** r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/okular/{,**} rw,
|
||||
|
||||
/usr/share/okular/{,**} r,
|
||||
/usr/share/kxmlgui5/okular/{,*} r,
|
||||
|
||||
/usr/share/poppler/** r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
|
||||
/etc/xdg/ui/ui_standards.rc r,
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
deny @{PROC}/sys/kernel/random/boot_id r,
|
||||
deny owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
/dev/shm/#@{int} rw,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
/etc/machine-id r,
|
||||
|
||||
# Search phrase in google
|
||||
@{bin}/xdg-open rCx -> open,
|
||||
/usr/share/kservices5/searchproviders/{,*.desktop} r,
|
||||
/usr/share/kservices5/{,*.protocol} r,
|
||||
/etc/xdg/kshorturifilterrc r,
|
||||
|
||||
# Print to pdf
|
||||
@{bin}/ps2pdf rPUx,
|
||||
owner /tmp/@{hex} rw,
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/okular_*.ps rwl -> /tmp/#@{int},
|
||||
|
||||
# About
|
||||
/usr/share/kf{5,6}/licenses/GPL_V2 r,
|
||||
|
||||
# Allowed apps to open
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
|
||||
profile open {
|
||||
include <abstractions/base>
|
||||
include <abstractions/xdg-open>
|
||||
|
||||
@{bin}/xdg-open mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/{m,g,}awk rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/basename rix,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
# Allowed apps to open
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
|
||||
# file_inherit
|
||||
owner @{HOME}/.xsession-errors w,
|
||||
|
||||
}
|
||||
|
||||
include if exists <local/okular>
|
||||
}
|
67
apparmor.d/groups/kde/okular
Normal file
67
apparmor.d/groups/kde/okular
Normal file
@ -0,0 +1,67 @@
|
||||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/okular
|
||||
profile okular @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/kde-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/user-read>
|
||||
include <abstractions/user-write>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ps2pdf rPUx,
|
||||
|
||||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/gpgcon rCx -> gpg,
|
||||
@{bin}/gpgsm rCx -> gpg,
|
||||
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/color-schemes/{,**} r,
|
||||
/usr/share/okular/{,**} r,
|
||||
/usr/share/poppler/{,**} r,
|
||||
|
||||
owner @{user_config_dirs}/#@{int} rw,
|
||||
owner @{user_config_dirs}/okularpartrc rw,
|
||||
owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/okularpartrc.lock rwk,
|
||||
owner @{user_config_dirs}/okularrc rw,
|
||||
owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
|
||||
owner @{user_config_dirs}/okularrc.lock rwk,
|
||||
|
||||
owner @{user_share_dirs}/okular/ rw,
|
||||
owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**,
|
||||
|
||||
owner @{user_cache_dirs}/okular/{,**} rw,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
owner /tmp/okular_@{rand6}.ps rwl -> /tmp/#@{int},
|
||||
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
|
||||
@{bin}/gpg{,2} mr,
|
||||
@{bin}/gpgcon mr,
|
||||
@{bin}/gpgsm mr,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/gnupg/ r,
|
||||
|
||||
include if exists <local/okular_gpg>
|
||||
}
|
||||
|
||||
include if exists <local/okular>
|
||||
}
|
@ -253,7 +253,7 @@ nmcli complain
|
||||
nullmailer-send complain
|
||||
nvidia-detector complain
|
||||
nvidia-persistenced complain
|
||||
org.gnome.NautilusPreviewer complain
|
||||
okular complain
|
||||
os-prober attach_disconnected,complain
|
||||
package-data-downloader complain
|
||||
packagekitd attach_disconnected,complain
|
||||
|
Loading…
Reference in New Issue
Block a user