mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

feat(profile): cleanup and remove open subprofile when it is useless.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-10-06 15:46:07 +01:00
parent 36f620dab1
commit 105a9b4def
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
14 changed files with 111 additions and 482 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
apparmor.d/groups/apt/querybts
View File

@ -33,7 +33,7 @@ profile querybts @{exec_path} {
@{bin}/stty rix,
@{bin}/ldconfig rix,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open-browsers,
@{bin}/dpkg rPx -> child-dpkg,
@ -46,41 +46,14 @@ profile querybts @{exec_path} {
/etc/dpkg/origins/ r,
/etc/dpkg/origins/debian r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/querybts>
}

27
apparmor.d/profiles-a-f/arduino
View File

@ -39,7 +39,7 @@ profile arduino @{exec_path} {
@{bin}/chmod rix,
@{bin}/avrdude rix,
@{bin}/xdg-open rCx -> open,
@{open_path} rCx -> child-open,
@{bin}/dpkg-architecture rPx,
@{bin}/arduino-builder rPx,
@ -109,31 +109,6 @@ profile arduino @{exec_path} {
# Silencer
deny /usr/share/arduino/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
@{bin}/spacefm rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/arduino>
}

36
apparmor.d/profiles-a-f/cawbird
View File

@ -31,8 +31,12 @@ profile cawbird @{exec_path} {
@{sh_path} rix,
@{bin}/xdg-open rCx -> open,
@{bin}/exo-open rCx -> open,
@{open_path} rPx -> child-open,
/usr/share/xml/iso-codes/{,**} r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{user_config_dirs}/cawbird/ rw,
owner @{user_config_dirs}/cawbird/** rwk,
@ -40,36 +44,8 @@ profile cawbird @{exec_path} {
owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/cawbird-* rw,
/usr/share/xml/iso-codes/{,**} r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
owner @{PROC}/@{pid}/fd/ r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/cawbird>
}

28
apparmor.d/profiles-a-f/czkawka-gui
View File

@ -18,7 +18,7 @@ profile czkawka-gui @{exec_path} {
@{exec_path} mr,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open,
# Dirs to scan for duplicates
#owner @{HOME}/** rw,
@ -38,32 +38,6 @@ profile czkawka-gui @{exec_path} {
@{sys}/fs/cgroup/{,**} r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
#@{lib}/firefox/firefox rPx,
@{bin}/smplayer rPx,
@{bin}/geany rPx,
@{bin}/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/czkawka-gui>
}

87
apparmor.d/profiles-a-f/deltachat-desktop
View File

@ -7,13 +7,9 @@ abi <abi/4.0>,
include <tunables/global>
@{DCD_LIBDIR} = @{lib}/deltachat-desktop
@{DCD_LIBDIR} += @{lib}/deltachat
@{DCD_LIBDIR} += /opt/DeltaChat/
@{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/
@{exec_path} = /usr/bin/deltachat-desktop
@{exec_path} += /opt/DeltaChat/deltachat-desktop
#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop
@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop
profile deltachat-desktop @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -35,15 +31,18 @@ profile deltachat-desktop @{exec_path} {
@{exec_path} mrix,
@{DCD_LIBDIR}/ r,
@{DCD_LIBDIR}/** r,
@{DCD_LIBDIR}/libffmpeg.so mr,
@{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
@{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr,
@{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr,
@{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr,
@{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
@{DCD_LIBDIR}/chrome-sandbox rPx,
@{lib_dirs}/ r,
@{lib_dirs}/** r,
@{lib_dirs}/libffmpeg.so mr,
@{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
@{lib_dirs}/{swiftshader/,}libEGL.so mr,
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
@{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
@{lib_dirs}/chrome-sandbox rPx,
@{bin}/xdg-settings rPx,
@{open_path} rPx -> child-open-browsers,
owner @{user_config_dirs}/DeltaChat/ rw,
owner @{user_config_dirs}/DeltaChat/** rwk,
@ -53,58 +52,24 @@ profile deltachat-desktop @{exec_path} {
owner @{tmp}/@{hex}/db.sqlite rwk,
owner @{tmp}/@{hex}/db.sqlite-journal rw,
@{PROC}/ r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/task/ r,
@{PROC}/@{pids}/task/@{tid}/status r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/statm r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pids}/oom_{,score_}adj r,
deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/task/ r,
@{PROC}/@{pid}/task/@{tid}/status r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/statm r,
/dev/ r,
/dev/ r,
# (#FIXME#)
deny @{sys}/bus/pci/devices/ r,
deny @{sys}/devices/virtual/tty/tty@{int}/active r,
# no new privs
@{bin}/xdg-settings rPx,
@{bin}/xdg-open rCx -> open,
# Allowed apps to open
@{lib}/firefox/firefox rPx,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/deltachat-desktop>
}

17
apparmor.d/profiles-a-f/deluser
View File

@ -14,24 +14,18 @@ profile deluser @{exec_path} {
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The deluser command is issued as root and its task is to delete regular user accounts. It
# optionally can remove user files (via --remove-home or --remove-all-files) or create a backup.
# Because of that, the deluser command needs the following CAPs to be able to do so.
capability dac_read_search,
capability dac_override,
@{exec_path} r,
@{bin}/perl r,
@{sh_path} rix,
@{bin}/userdel rPx,
@{sh_path} rix,
@{bin}/crontab rPx,
@{bin}/gpasswd rPx,
@{bin}/groupdel rPx,
@{bin}/gpasswd rPx,
@{bin}/crontab rPx,
@{bin}/mount rCx -> mount,
@{bin}/mount rCx -> mount,
@{bin}/userdel rPx,
/etc/adduser.conf r,
/etc/deluser.conf r,
@ -45,7 +39,6 @@ profile deluser @{exec_path} {
/ r,
/** rw,
profile mount {
include <abstractions/base>

28
apparmor.d/profiles-g-l/gtk-youtube-viewer
View File

@ -40,8 +40,7 @@ profile gtk-youtube-viewer @{exec_path} {
@{lib}/firefox/firefox rPx,
@{bin}/xdg-open rCx -> open,
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
@{open_path} rPx -> child-open,
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
@ -91,30 +90,7 @@ profile gtk-youtube-viewer @{exec_path} {
# file_inherit
owner @{HOME}/.xsession-errors w,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/gtk-youtube-viewer_xterm>
}
include if exists <local/gtk-youtube-viewer>

94
apparmor.d/profiles-g-l/hardinfo
View File

@ -12,9 +12,7 @@ profile hardinfo @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/desktop>
include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/user-download-strict>
@ -49,7 +47,7 @@ profile hardinfo @{exec_path} {
@{lib}/@{multiarch}/valgrind/memcheck-*-linux rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open,
@{bin}/ccache rCx -> ccache,
@{bin}/kmod rCx -> kmod,
@ -62,8 +60,22 @@ profile hardinfo @{exec_path} {
@{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac,
/usr/share/gdb/python/ r,
/usr/share/gdb/python/** r,
/usr/share/hardinfo/{,**} r,
/etc/fstab r,
/etc/exports r,
/etc/samba/smb.conf r,
/etc/gdb/gdbinit.d/ r,
/var/log/wtmp r,
owner @{HOME}/.hardinfo/ rw,
owner @{tmp}/#@{int} rw,
@{sys}/class/power_supply/ r,
@{sys}/class/thermal/ r,
@{sys}/bus/i2c/drivers/eeprom/ r,
@ -78,48 +90,27 @@ profile hardinfo @{exec_path} {
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r,
@{sys}/devices/**/power_supply/** r,
@{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/arp r,
@{PROC}/@{pid}/net/dev r,
@{PROC}/@{pid}/net/route r,
@{PROC}/@{pid}/net/wireless r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/asound/cards r,
@{PROC}/bus/input/devices r,
@{PROC}/dma r,
@{PROC}/iomem r,
@{PROC}/ioports r,
@{PROC}/loadavg r,
@{PROC}/scsi/scsi r,
@{PROC}/sys/kernel/random/entropy_avail r,
@{PROC}/uptime r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/loginuid r,
@{PROC}/uptime r,
@{PROC}/loadavg r,
@{PROC}/ioports r,
@{PROC}/iomem r,
@{PROC}/dma r,
@{PROC}/asound/cards r,
@{PROC}/scsi/scsi r,
@{PROC}/bus/input/devices r,
@{PROC}/sys/kernel/random/entropy_avail r,
@{PROC}/@{pids}/net/route r,
/etc/fstab r,
/etc/exports r,
/etc/samba/smb.conf r,
/etc/gdb/gdbinit.d/ r,
/usr/share/gdb/python/ r,
/usr/share/gdb/python/** r,
/var/log/wtmp r,
owner @{HOME}/.hardinfo/ rw,
owner @{tmp}/#@{int} rw,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# Silencer
deny /usr/share/gdb/python/** w,
# file_inherit
owner /dev/tty@{int} rw,
deny /usr/share/gdb/python/** w,
profile ccache {
include <abstractions/base>
@ -134,6 +125,7 @@ profile hardinfo @{exec_path} {
/etc/debian_version r,
include if exists <local/hardinfo_ccache>
}
profile javac {
@ -157,29 +149,7 @@ profile hardinfo @{exec_path} {
owner @{tmp}/hsperfdata_@{user}/ rw,
owner @{tmp}/hsperfdata_@{user}/@{pid} rw,
}
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
include if exists <local/hardinfo_javac>
}
profile kmod {

24
apparmor.d/profiles-m-r/mediainfo-gui
View File

@ -19,29 +19,7 @@ profile mediainfo-gui @{exec_path} {
@{exec_path} mr,
@{bin}/xdg-open rCx -> open,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
@{lib}/firefox/firefox rPx,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
@{open_path} rPx -> child-open-browsers,
include if exists <local/mediainfo-gui>
}

36
apparmor.d/profiles-m-r/orage
View File

@ -21,9 +21,9 @@ profile orage @{exec_path} {
@{bin}/globaltime rPx,
@{bin}/xdg-open rCx -> open,
@{bin}/exo-open rCx -> open,
@{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
@{open_path} rPx -> child-open,
/etc/fstab r,
owner @{user_config_dirs}/orage/ rw,
owner @{user_config_dirs}/orage/* rw,
@ -35,38 +35,8 @@ profile orage @{exec_path} {
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner /dev/tty@{int} rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/orage>
}

80
apparmor.d/profiles-m-r/quiterss
View File

@ -10,22 +10,16 @@ include <tunables/global>
@{exec_path} = @{bin}/quiterss
profile quiterss @{exec_path} {
include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/qt5>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/mesa>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
include <abstractions/wayland>
include <abstractions/ssl_certs>
include <abstractions/gstreamer>
include <abstractions/audio-client>
include <abstractions/desktop>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics>
include <abstractions/gstreamer>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
network inet dgram,
network inet6 dgram,
@ -36,9 +30,14 @@ profile quiterss @{exec_path} {
@{exec_path} mr,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open,
/usr/share/quiterss/** r,
/etc/fstab r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/QuiteRss/ rw,
owner @{user_config_dirs}/QuiteRss/** rwkl -> @{user_config_dirs}/QuiteRss/**,
owner @{user_share_dirs}/QuiteRss/ rw,
@ -46,55 +45,20 @@ profile quiterss @{exec_path} {
owner @{user_cache_dirs}/QuiteRss/ rw,
owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**,
owner @{PROC}/@{pid}/fd/ r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
/dev/shm/#@{int} rw,
owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw,
owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk,
owner /var/tmp/etilqs_@{hex16} rw,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
@{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/dev/shm/#@{int} rw,
# file_inherit
owner /dev/tty@{int} rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/quiterss>
}

29
apparmor.d/profiles-s-z/smtube
View File

@ -68,38 +68,11 @@ profile smtube @{exec_path} {
@{bin}/youtube-dl rPUx,
@{bin}/yt-dlp rPUx,
@{bin}/xdg-open rCx -> open,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
@{open_path} rPx -> child-open,
# file_inherit
owner /dev/tty@{int} rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{lib}/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/smtube>
}

32
apparmor.d/profiles-s-z/udiskie
View File

@ -26,7 +26,9 @@ profile udiskie @{exec_path} {
@{bin}/python3.@{int} r,
@{bin}/ r,
@{bin}/xdg-open rCx -> open,
@{open_path} rPx -> child-open,
/etc/fstab r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,
@ -35,37 +37,9 @@ profile udiskie @{exec_path} {
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
/etc/fstab r,
# Allowed apps to open
@{bin}/spacefm rPx,
# Silencer
deny @{lib}/** w,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{bin}/spacefm rPx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/udiskie>
}

40
apparmor.d/profiles-s-z/xarchiver
View File

@ -42,7 +42,9 @@ profile xarchiver @{exec_path} {
# For deb packages
@{bin}/{,@{multiarch}-}ar rix,
@{bin}/xdg-open rCx -> open,
@{path_open} rPx -> child-open,
/etc/fstab r,
owner @{user_config_dirs}/xarchiver/ rw,
owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw,
@ -58,46 +60,12 @@ profile xarchiver @{exec_path} {
/tmp/ r,
owner @{tmp}/** rw,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/fd/ r,
/etc/fstab r,
# Allowed apps to open
@{bin}/engrampa rPUx,
@{bin}/geany rPUx,
@{bin}/viewnior rPUx,
# file_inherit
owner /dev/tty@{int} rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/readlink rix,
@{bin}/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
@{bin}/engrampa rPUx,
@{bin}/geany rPUx,
@{bin}/viewnior rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/xarchiver>
}