From 105a9b4def4582b7025f09d00136d13517f8e061 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Oct 2024 15:46:07 +0100 Subject: [PATCH] feat(profile): cleanup and remove open subprofile when it is useless. --- apparmor.d/groups/apt/querybts | 35 +------- apparmor.d/profiles-a-f/arduino | 27 +------ apparmor.d/profiles-a-f/cawbird | 36 ++------- apparmor.d/profiles-a-f/czkawka-gui | 28 +------ apparmor.d/profiles-a-f/deltachat-desktop | 87 ++++++-------------- apparmor.d/profiles-a-f/deluser | 17 ++-- apparmor.d/profiles-g-l/gtk-youtube-viewer | 28 +------ apparmor.d/profiles-g-l/hardinfo | 94 ++++++++-------------- apparmor.d/profiles-m-r/mediainfo-gui | 24 +----- apparmor.d/profiles-m-r/orage | 36 +-------- apparmor.d/profiles-m-r/quiterss | 80 +++++------------- apparmor.d/profiles-s-z/smtube | 29 +------ apparmor.d/profiles-s-z/udiskie | 32 +------- apparmor.d/profiles-s-z/xarchiver | 40 +-------- 14 files changed, 111 insertions(+), 482 deletions(-) diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index da7c4527..5c46246a 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -33,7 +33,7 @@ profile querybts @{exec_path} { @{bin}/stty rix, @{bin}/ldconfig rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open-browsers, @{bin}/dpkg rPx -> child-dpkg, @@ -46,41 +46,14 @@ profile querybts @{exec_path} { /etc/dpkg/origins/ r, /etc/dpkg/origins/debian r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, - /etc/fstab r, /var/lib/dbus/machine-id r, /etc/machine-id r, - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino index 0304dbc6..cfac12d4 100644 --- a/apparmor.d/profiles-a-f/arduino +++ b/apparmor.d/profiles-a-f/arduino @@ -39,7 +39,7 @@ profile arduino @{exec_path} { @{bin}/chmod rix, @{bin}/avrdude rix, - @{bin}/xdg-open rCx -> open, + @{open_path} rCx -> child-open, @{bin}/dpkg-architecture rPx, @{bin}/arduino-builder rPx, @@ -109,31 +109,6 @@ profile arduino @{exec_path} { # Silencer deny /usr/share/arduino/** w, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - @{bin}/spacefm rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird index ab2ac687..0d8c6a00 100644 --- a/apparmor.d/profiles-a-f/cawbird +++ b/apparmor.d/profiles-a-f/cawbird @@ -31,8 +31,12 @@ profile cawbird @{exec_path} { @{sh_path} rix, - @{bin}/xdg-open rCx -> open, - @{bin}/exo-open rCx -> open, + @{open_path} rPx -> child-open, + + /usr/share/xml/iso-codes/{,**} r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, owner @{user_config_dirs}/cawbird/ rw, owner @{user_config_dirs}/cawbird/** rwk, @@ -40,36 +44,8 @@ profile cawbird @{exec_path} { owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/cawbird-* rw, - /usr/share/xml/iso-codes/{,**} r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - owner @{PROC}/@{pid}/fd/ r, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui index 30dc56b2..d7bb93f4 100644 --- a/apparmor.d/profiles-a-f/czkawka-gui +++ b/apparmor.d/profiles-a-f/czkawka-gui @@ -18,7 +18,7 @@ profile czkawka-gui @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, # Dirs to scan for duplicates #owner @{HOME}/** rw, @@ -38,32 +38,6 @@ profile czkawka-gui @{exec_path} { @{sys}/fs/cgroup/{,**} r, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - #@{lib}/firefox/firefox rPx, - @{bin}/smplayer rPx, - @{bin}/geany rPx, - @{bin}/viewnior rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index b3afbfc0..4f60099a 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,13 +7,9 @@ abi , include -@{DCD_LIBDIR} = @{lib}/deltachat-desktop -@{DCD_LIBDIR} += @{lib}/deltachat -@{DCD_LIBDIR} += /opt/DeltaChat/ +@{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ -@{exec_path} = /usr/bin/deltachat-desktop -@{exec_path} += /opt/DeltaChat/deltachat-desktop -#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop +@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include include @@ -35,15 +31,18 @@ profile deltachat-desktop @{exec_path} { @{exec_path} mrix, - @{DCD_LIBDIR}/ r, - @{DCD_LIBDIR}/** r, - @{DCD_LIBDIR}/libffmpeg.so mr, - @{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr, - @{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr, - @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, - @{DCD_LIBDIR}/chrome-sandbox rPx, + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/{swiftshader/,}libGLESv2.so mr, + @{lib_dirs}/{swiftshader/,}libEGL.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr, + @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr, + @{lib_dirs}/chrome-sandbox rPx, + + @{bin}/xdg-settings rPx, + @{open_path} rPx -> child-open-browsers, owner @{user_config_dirs}/DeltaChat/ rw, owner @{user_config_dirs}/DeltaChat/** rwk, @@ -53,58 +52,24 @@ profile deltachat-desktop @{exec_path} { owner @{tmp}/@{hex}/db.sqlite rwk, owner @{tmp}/@{hex}/db.sqlite-journal rw, - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pids}/statm r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pids}/oom_{,score_}adj r, - deny owner @{PROC}/@{pids}/oom_{,score_}adj w, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, - /dev/ r, + /dev/ r, # (#FIXME#) deny @{sys}/bus/pci/devices/ r, - deny @{sys}/devices/virtual/tty/tty@{int}/active r, - # no new privs - @{bin}/xdg-settings rPx, - - @{bin}/xdg-open rCx -> open, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 54007917..eac7429b 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -14,24 +14,18 @@ profile deluser @{exec_path} { include include - # The deluser command is issued as root and its task is to delete regular user accounts. It - # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup. - # Because of that, the deluser command needs the following CAPs to be able to do so. capability dac_read_search, capability dac_override, @{exec_path} r, @{bin}/perl r, - @{sh_path} rix, - - @{bin}/userdel rPx, + @{sh_path} rix, + @{bin}/crontab rPx, + @{bin}/gpasswd rPx, @{bin}/groupdel rPx, - @{bin}/gpasswd rPx, - - @{bin}/crontab rPx, - - @{bin}/mount rCx -> mount, + @{bin}/mount rCx -> mount, + @{bin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, @@ -45,7 +39,6 @@ profile deluser @{exec_path} { / r, /** rw, - profile mount { include diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 18c3bd44..029e542e 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -40,8 +40,7 @@ profile gtk-youtube-viewer @{exec_path} { @{lib}/firefox/firefox rPx, - @{bin}/xdg-open rCx -> open, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{open_path} rPx -> child-open, owner @{user_config_dirs}/youtube-viewer/{,*} rw, @@ -91,30 +90,7 @@ profile gtk-youtube-viewer @{exec_path} { # file_inherit owner @{HOME}/.xsession-errors w, - } - - profile open { - include - include - - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 79c77f3a..f9188729 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -12,9 +12,7 @@ profile hardinfo @{exec_path} { include include include - include - include - include + include include include include @@ -49,7 +47,7 @@ profile hardinfo @{exec_path} { @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @@ -62,8 +60,22 @@ profile hardinfo @{exec_path} { @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + /usr/share/gdb/python/ r, + /usr/share/gdb/python/** r, /usr/share/hardinfo/{,**} r, + /etc/fstab r, + /etc/exports r, + /etc/samba/smb.conf r, + + /etc/gdb/gdbinit.d/ r, + + /var/log/wtmp r, + + owner @{HOME}/.hardinfo/ rw, + + owner @{tmp}/#@{int} rw, + @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, @{sys}/bus/i2c/drivers/eeprom/ r, @@ -78,48 +90,27 @@ profile hardinfo @{exec_path} { @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r, @{sys}/devices/**/power_supply/** r, - @{PROC}/@{pid}/net/wireless r, - @{PROC}/@{pid}/net/dev r, @{PROC}/@{pid}/net/arp r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/route r, + @{PROC}/@{pid}/net/wireless r, + @{PROC}/@{pids}/loginuid r, + @{PROC}/asound/cards r, + @{PROC}/bus/input/devices r, + @{PROC}/dma r, + @{PROC}/iomem r, + @{PROC}/ioports r, + @{PROC}/loadavg r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - @{PROC}/@{pids}/loginuid r, - @{PROC}/uptime r, - @{PROC}/loadavg r, - @{PROC}/ioports r, - @{PROC}/iomem r, - @{PROC}/dma r, - @{PROC}/asound/cards r, - @{PROC}/scsi/scsi r, - @{PROC}/bus/input/devices r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/@{pids}/net/route r, - /etc/fstab r, - /etc/exports r, - /etc/samba/smb.conf r, - - /etc/gdb/gdbinit.d/ r, - - /usr/share/gdb/python/ r, - /usr/share/gdb/python/** r, - - /var/log/wtmp r, - - owner @{HOME}/.hardinfo/ rw, - - owner @{tmp}/#@{int} rw, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # Silencer - deny /usr/share/gdb/python/** w, - - # file_inherit owner /dev/tty@{int} rw, + deny /usr/share/gdb/python/** w, profile ccache { include @@ -134,6 +125,7 @@ profile hardinfo @{exec_path} { /etc/debian_version r, + include if exists } profile javac { @@ -157,29 +149,7 @@ profile hardinfo @{exec_path} { owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{pid} rw, - } - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - + include if exists } profile kmod { diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui index 1d18d518..5a723d00 100644 --- a/apparmor.d/profiles-m-r/mediainfo-gui +++ b/apparmor.d/profiles-m-r/mediainfo-gui @@ -19,29 +19,7 @@ profile mediainfo-gui @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, - - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - @{lib}/firefox/firefox rPx, - - owner @{HOME}/ r, - owner @{run}/user/@{uid}/ r, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } + @{open_path} rPx -> child-open-browsers, include if exists } diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage index 39d9a35d..f87c0fa9 100644 --- a/apparmor.d/profiles-m-r/orage +++ b/apparmor.d/profiles-m-r/orage @@ -21,9 +21,9 @@ profile orage @{exec_path} { @{bin}/globaltime rPx, - @{bin}/xdg-open rCx -> open, - @{bin}/exo-open rCx -> open, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/orage/ rw, owner @{user_config_dirs}/orage/* rw, @@ -35,38 +35,8 @@ profile orage @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 05de0d49..89395f8b 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -10,22 +10,16 @@ include @{exec_path} = @{bin}/quiterss profile quiterss @{exec_path} { include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include include + include + include + include + include + include + include + include + include + include network inet dgram, network inet6 dgram, @@ -36,9 +30,14 @@ profile quiterss @{exec_path} { @{exec_path} mr, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, /usr/share/quiterss/** r, + + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/QuiteRss/ rw, owner @{user_config_dirs}/QuiteRss/** rwkl -> @{user_config_dirs}/QuiteRss/**, owner @{user_share_dirs}/QuiteRss/ rw, @@ -46,55 +45,20 @@ profile quiterss @{exec_path} { owner @{user_cache_dirs}/QuiteRss/ rw, owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**, - owner @{PROC}/@{pid}/fd/ r, - deny @{PROC}/sys/kernel/random/boot_id r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - /dev/shm/#@{int} rw, - owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, owner /var/tmp/etilqs_@{hex16} rw, - # Allowed apps to open - @{lib}/firefox/firefox rPUx, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/shm/#@{int} rw, - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube index bbb404c8..c318328b 100644 --- a/apparmor.d/profiles-s-z/smtube +++ b/apparmor.d/profiles-s-z/smtube @@ -68,38 +68,11 @@ profile smtube @{exec_path} { @{bin}/youtube-dl rPUx, @{bin}/yt-dlp rPUx, - @{bin}/xdg-open rCx -> open, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, + @{open_path} rPx -> child-open, # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{lib}/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie index 6105c7da..01495503 100644 --- a/apparmor.d/profiles-s-z/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -26,7 +26,9 @@ profile udiskie @{exec_path} { @{bin}/python3.@{int} r, @{bin}/ r, - @{bin}/xdg-open rCx -> open, + @{open_path} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, @@ -35,37 +37,9 @@ profile udiskie @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, - /etc/fstab r, - - # Allowed apps to open - @{bin}/spacefm rPx, - # Silencer deny @{lib}/** w, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/spacefm rPx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 514ea5c3..9f87e3b9 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -42,7 +42,9 @@ profile xarchiver @{exec_path} { # For deb packages @{bin}/{,@{multiarch}-}ar rix, - @{bin}/xdg-open rCx -> open, + @{path_open} rPx -> child-open, + + /etc/fstab r, owner @{user_config_dirs}/xarchiver/ rw, owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw, @@ -58,46 +60,12 @@ profile xarchiver @{exec_path} { /tmp/ r, owner @{tmp}/** rw, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, - /etc/fstab r, - - # Allowed apps to open - @{bin}/engrampa rPUx, - @{bin}/geany rPUx, - @{bin}/viewnior rPUx, - - # file_inherit owner /dev/tty@{int} rw, - - profile open { - include - include - - @{bin}/xdg-open mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/readlink rix, - @{bin}/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - @{bin}/engrampa rPUx, - @{bin}/geany rPUx, - @{bin}/viewnior rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists }