mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ubuntu 22.04, third batch (#65)

Browse source 
* initial

* ready

* cleanup

* cleanup2

* Update dbus-gtk
This commit is contained in:
nobodysu 2022-09-06 17:00:18 +00:00 committed by GitHub
parent 672d0a758b
commit 1649b427f8
Failed to generate hash of commit
9 changed files with 272 additions and 104 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/X-strict
View file

@ -30,4 +30,7 @@
# Xwayland # Xwayland
owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
/etc/X11/cursors/{,**} r,
/usr/share/X11/{,**} r,
include if exists <abstractions/X-strict.d> include if exists <abstractions/X-strict.d>

2
apparmor.d/abstractions/dbus-gtk
View file

@ -28,7 +28,7 @@
dbus (send, receive) bus=session path=/org/freedesktop/Notifications dbus (send, receive) bus=session path=/org/freedesktop/Notifications
interface=org.freedesktop.Notifications interface=org.freedesktop.Notifications
peer=(name="{org.freedesktop.Notifications,:*}"), peer=(name="{org.freedesktop.Notifications,org.freedesktop.DBus,:*}"), # all members
dbus (receive) bus=accessibility path=/org/a11y/atspi/registry dbus (receive) bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry interface=org.a11y.atspi.Registry

7
apparmor.d/abstractions/freedesktop.org.d/complete
View file

@ -4,3 +4,10 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
owner @{HOME}/.icons/default/index.theme r, owner @{HOME}/.icons/default/index.theme r,
@{system_share_dirs}/*ubuntu/applications/{**,} r,
@{system_share_dirs}/gnome/applications/{**,} r,
@{system_share_dirs}/xfce4/applications/{**,} r,
/etc/gnome/defaults.list r,
/etc/xfce4/defaults.list r,

35
apparmor.d/groups/apps/thunderbird
View file

@ -8,6 +8,9 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{MOZ_LIBDIR} = /{usr/,}lib/thunderbird @{MOZ_LIBDIR} = /{usr/,}lib/thunderbird
@{MOZ_HOMEDIR} = @{HOME}/.thunderbird @{MOZ_HOMEDIR} = @{HOME}/.thunderbird
@{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird @{MOZ_CACHEDIR} = @{user_cache_dirs}/thunderbird
@ -17,12 +20,13 @@ include <tunables/global>
profile thunderbird @{exec_path} { profile thunderbird @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/opencl-intel> include <abstractions/nameservice-strict>
include <abstractions/gtk>
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/mesa>
include <abstractions/opencl-intel>
include <abstractions/nvidia> include <abstractions/nvidia>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/mesa>
include <abstractions/gtk>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
@ -30,10 +34,9 @@ profile thunderbird @{exec_path} {
include <abstractions/enchant> include <abstractions/enchant>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/dconf-write>
include <abstractions/ibus> include <abstractions/ibus>
include <abstractions/dconf-write>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk> include <abstractions/dbus-gtk>
@ -54,28 +57,30 @@ profile thunderbird @{exec_path} {
owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w, owner @{PROC}/@{pid}/uid_map w,
dbus (send) bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member=RequestName member=RequestName
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (send) bus=system path=/org/freedesktop/RealtimeKit[0-9]* dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
member={Get,MakeThreadHighPriority,MakeThreadRealtime} member={Get,MakeThreadHighPriority,MakeThreadRealtime}
peer=(name=org.freedesktop.RealtimeKit[0-9]*), peer=(name=org.freedesktop.RealtimeKit[0-9]*),
dbus (send) bus=system path=/org/freedesktop/UPower dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower interface=org.freedesktop.UPower
member=EnumerateDevices member=EnumerateDevices
peer=(name=org.freedesktop.UPower), peer=(name=org.freedesktop.UPower),
dbus (send) bus=session path=/ca/desrt/dconf/Writer/user dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer interface=ca.desrt.dconf.Writer
member={Change,Notify} member={Change,Notify}
peer=(name=ca.desrt.dconf), peer=(name=ca.desrt.dconf),
dbus (bind) bus=session dbus bind bus=session
name=org.mozilla.thunderbird.*, name=org.mozilla.thunderbird.*,
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
owner /tmp/dbus-[0-9a-zA-Z]* rw, owner /tmp/dbus-[0-9a-zA-Z]* rw,
@{exec_path} mrix, @{exec_path} mrix,
@ -121,6 +126,7 @@ profile thunderbird @{exec_path} {
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/Mail/ rw, owner @{HOME}/Mail/ rw,
owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**, owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,
owner @{user_share_dirs}/ r,
# Fix error in libglib while saving files as # Fix error in libglib while saving files as
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -143,7 +149,6 @@ profile thunderbird @{exec_path} {
/usr/share/qt5ct/** r, /usr/share/qt5ct/** r,
# gnome-tiny # gnome-tiny
/etc/gnome/defaults.list r,
/usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/gvfs/remote-volume-monitors/{,*} r,
@{run}/mount/utab r, @{run}/mount/utab r,
@ -195,13 +200,12 @@ profile thunderbird @{exec_path} {
/etc/timezone r, /etc/timezone r,
/usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/ubuntu/applications/{,*} r,
# Silencer # Silencer
deny /{usr/,}lib/thunderbird/** w, deny /{usr/,}lib/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-{open,mime} rCx -> open,
/{usr/,}bin/exo-open rCx -> open, /{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
@ -213,11 +217,11 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/gpgsm rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx, /{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx, /{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx, /{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx, /{usr/,}bin/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
@ -288,17 +292,18 @@ profile thunderbird @{exec_path} {
/{usr/,}bin/{,m,g}awk rix, /{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
/{usr/,}bin/xfce4-mime-helper rix,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
# Allowed apps to open # Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx, /{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx, /{usr/,}bin/viewnior rPUx,
/{usr/,}bin/engrampa rPx, /{usr/,}bin/engrampa rPx,
/{usr/,}bin/geany rPx, /{usr/,}bin/geany rPx,
@{FIREFOX_BIN} rPx,
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,

67
apparmor.d/groups/apps/vlc
View file

@ -53,30 +53,27 @@ include <tunables/global>
profile vlc @{exec_path} { profile vlc @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/opencl-intel> include <abstractions/nameservice-strict>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/opencl-intel>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/audio> include <abstractions/vulkan>
include <abstractions/nvidia> include <abstractions/nvidia>
include <abstractions/audio>
include <abstractions/qt5-settings-write> include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write> include <abstractions/qt5-compose-cache-write>
include <abstractions/vlc-art-cache-write>
include <abstractions/nameservice-strict>
include <abstractions/vulkan>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/private-files-strict> include <abstractions/private-files-strict>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/devices-usb> include <abstractions/ibus>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk> include <abstractions/dbus-gtk>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/ibus> include <abstractions/devices-usb>
include <abstractions/vlc-art-cache-write>
# capability sys_ptrace,
# ptrace (read),
signal (receive) set=(term, kill) peer=anyremote//*, signal (receive) set=(term, kill) peer=anyremote//*,
@ -86,67 +83,62 @@ profile vlc @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
dbus (send) bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,ReleaseName,GetConnectionUnixProcessID} member={RequestName,ReleaseName,GetConnectionUnixProcessID}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/org/freedesktop/Notifications dbus send bus=session path=/org/a11y/bus
interface=org.freedesktop.Notifications
member=NotificationClosed
peer=(name=:*),
dbus (send) bus=session path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member=Get
peer=(name=org.a11y.Bus), peer=(name=org.a11y.Bus),
dbus (send) bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
peer=(name=org.kde.StatusNotifierWatcher), peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member={Get,RegisterStatusNotifierItem} member={Get,RegisterStatusNotifierItem}
peer=(name=org.kde.StatusNotifierWatcher), peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher), peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierItem dbus send bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem interface=org.kde.StatusNotifierItem
member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon} member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/StatusNotifierItem dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem interface=org.kde.StatusNotifierItem
member=Activate member=Activate
peer=(name=:*), peer=(name=:*),
dbus (receive) bus=session path=/StatusNotifierItem dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member={Get,GetAll} member={Get,GetAll}
peer=(name=:*), peer=(name=:*),
dbus (send) bus=session path=/ScreenSaver dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit} member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver), peer=(name=org.freedesktop.ScreenSaver),
dbus (receive) bus=session path=/MenuBar dbus receive bus=session path=/MenuBar
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*), peer=(name=:*),
dbus (send) bus=session path=/MenuBar dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu interface=com.canonical.dbusmenu
member={LayoutUpdated,ItemsPropertiesUpdated} member={LayoutUpdated,ItemsPropertiesUpdated}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/MenuBar dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*), peer=(name=:*),
@ -157,47 +149,47 @@ profile vlc @{exec_path} {
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2 dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.* interface=org.mpris.MediaPlayer2.*
peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), # all members peer=(name="{org.mpris.MediaPlayer2.vlc,org.freedesktop.DBus,:*}"), # all members
# dbus (send) bus=system path=/ # dbus send bus=system path=/
# interface=org.freedesktop.DBus.Peer # interface=org.freedesktop.DBus.Peer
# member=Ping, # member=Ping,
# peer=(name="org.freedesktop.Avahi"), # peer=(name="org.freedesktop.Avahi"),
dbus (send) bus=accessibility path=/org/freedesktop/DBus dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch} member={Hello,AddMatch,RemoveMatch}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket interface=org.a11y.atspi.Socket
member=Embed member=Embed
peer=(name=org.a11y.atspi.Registry), peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Set member=Set
peer=(name=:*), peer=(name=:*),
dbus (send) bus=accessibility path=/org/a11y/atspi/registry dbus send bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry interface=org.a11y.atspi.Registry
member=GetRegisteredEvents member=GetRegisteredEvents
peer=(name=org.a11y.atspi.Registry), peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/registry dbus receive bus=accessibility path=/org/a11y/atspi/registry
interface=org.a11y.atspi.Registry interface=org.a11y.atspi.Registry
member=EventListenerDeregistered member=EventListenerDeregistered
peer=(name=:*), peer=(name=:*),
dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
interface=org.a11y.atspi.DeviceEventController interface=org.a11y.atspi.DeviceEventController
member={GetKeystrokeListeners,GetDeviceEventListeners} member={GetKeystrokeListeners,GetDeviceEventListeners}
peer=(name=org.a11y.atspi.Registry), peer=(name=org.a11y.atspi.Registry),
dbus (bind) bus=session dbus bind bus=session
name=org.kde.StatusNotifierItem-*, name=org.kde.StatusNotifierItem-*,
dbus (bind) bus=session dbus bind bus=session
name=org.mpris.MediaPlayer2.vlc{,.instance*}, name=org.mpris.MediaPlayer2.vlc{,.instance*},
@{exec_path} mrix, @{exec_path} mrix,
@ -257,6 +249,7 @@ profile vlc @{exec_path} {
/etc/fstab r, /etc/fstab r,
/usr/share/hwdata/pnp.ids r, /usr/share/hwdata/pnp.ids r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
# Be able to turn off the screensaver while playing movies # Be able to turn off the screensaver while playing movies
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,

4
apparmor.d/groups/apt/command-not-found
View file

@ -8,6 +8,7 @@ include <tunables/global>
@{exec_path} = /usr/share/command-not-found/command-not-found @{exec_path} = /usr/share/command-not-found/command-not-found
@{exec_path} += /{usr/,}bin/command-not-found @{exec_path} += /{usr/,}bin/command-not-found
@{exec_path} += /{usr/,}lib/command-not-found
profile command-not-found @{exec_path} { profile command-not-found @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>
@ -23,5 +24,8 @@ profile command-not-found @{exec_path} {
/usr/share/command-not-found/{,**} r, /usr/share/command-not-found/{,**} r,
# Silencer
deny /usr/lib/ r,
include if exists <local/command-not-found> include if exists <local/command-not-found>
} }

111
apparmor.d/groups/browsers/firefox
View file

@ -10,6 +10,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr} @{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
@{MOZ_LIBDIR} += /opt/firefox{,-esr}
@{MOZ_HOMEDIR} = @{HOME}/.mozilla @{MOZ_HOMEDIR} = @{HOME}/.mozilla
@{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr} @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
profile firefox @{exec_path} flags=(attach_disconnected) { profile firefox @{exec_path} flags=(attach_disconnected) {
@ -17,8 +18,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/enchant> include <abstractions/enchant>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
@ -31,6 +32,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
include <abstractions/user-read> include <abstractions/user-read>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/wayland> include <abstractions/wayland>
include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-gtk>
capability sys_admin, # If kernel.unprivileged_userns_clone = 1 capability sys_admin, # If kernel.unprivileged_userns_clone = 1
capability sys_chroot, # If kernel.unprivileged_userns_clone = 1 capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
@ -46,6 +50,83 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus),
dbus send bus=session path=/ScreenSaver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit}
peer=(name=org.freedesktop.ScreenSaver),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=Read
peer=(name=:*),
dbus receive bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.portal.Settings
member=SettingChanged
peer=(name=:*),
dbus send bus=session path=/org/freedesktop/portal/desktop
interface=org.freedesktop.DBus.Properties
member={GetAll,Read}
peer=(name=:*),
dbus send bus=system path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(name=org.freedesktop.UPower),
dbus send bus=session path=/org/freedesktop/PowerManagement/Inhibit
interface=org.freedesktop.PowerManagement.Inhibit
member=Inhibit
peer=(name=org.freedesktop.PowerManagement),
dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]*
member={Get,MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID}
peer=(name=org.freedesktop.RealtimeKit[0-9]*),
dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
interface=org.freedesktop.DBus.Properties
member={GetAll,PropertiesChanged}
peer=(name="{org.freedesktop.DBus,:*}"),
dbus receive bus=session path=/org/mpris/MediaPlayer2
interface=org.mpris.MediaPlayer2.Playlists
member=GetPlaylists
peer=(name=:*),
dbus receive bus=system path=/org/freedesktop/login[0-9]*
interface=org.freedesktop.login[0-9]*.Manager
member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareForShutdown}
peer=(name=:*),
dbus send bus=session path=/org/gtk/vfs/metadata
interface=org.gtk.vfs.Metadata
member=GetTreeFromDevice
peer=(name=:*),
dbus send bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox
member=OpenURL
peer=(name=org.mozilla.firefox.* label=firefox),
dbus receive bus=session path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox
member=OpenURL
peer=(name=:* label=firefox),
dbus bind bus=session
name=org.mpris.MediaPlayer2.firefox.*,
dbus bind bus=session
name=org.mozilla.firefox.*,
deny dbus send bus=system path=/org/freedesktop/hostname[0-9]*,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
@ -59,8 +140,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
@{libexec}/gvfsd-metadata rPx, @{libexec}/gvfsd-metadata rPx,
/{usr/,}bin/browserpass rPx, /{usr/,}bin/browserpass rPx,
/{usr/,}bin/gpa rPUx, /{usr/,}bin/gpa rPx,
/{usr/,}bin/keepassxc-proxy rPUx, /{usr/,}bin/keepassxc-proxy rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/update-mime-database rPx, /{usr/,}bin/update-mime-database rPx,
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
@ -81,6 +162,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/viewnior rPUx, /{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx, /{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx, /{usr/,}bin/xarchiver rPx,
/{usr/,}bin/evince rPx,
/{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
/{usr/,}lib/mozilla/plugins/ r, /{usr/,}lib/mozilla/plugins/ r,
@ -88,13 +170,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/usr/share/doc/{,**} r, /usr/share/doc/{,**} r,
/usr/share/egl/{,**} r, /usr/share/egl/{,**} r,
/usr/share/firefox/{,**} r, /usr/share/firefox{,-esr}/{,**} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/mozilla/extensions/{,**} r, /usr/share/mozilla/extensions/{,**} r,
/usr/share/webext/{,**} r, /usr/share/webext/{,**} r,
/usr/share/xul-ext/kwallet5/* r, /usr/share/xul-ext/kwallet5/* r,
/etc/firefox/{,**} r, /etc/firefox{,-esr}/{,**} r,
/etc/fstab r, /etc/fstab r,
/etc/igfx_user_feature{,_next}.txt w, /etc/igfx_user_feature{,_next}.txt w,
/etc/libva.conf r, /etc/libva.conf r,
@ -103,8 +185,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/etc/opensc.conf r, /etc/opensc.conf r,
/etc/xul-ext/kwallet5.js r, /etc/xul-ext/kwallet5.js r,
/var/lib/dbus/machine-id r, # gnome-tiny
/etc/machine-id r, @{run}/mount/utab r,
owner @{HOME}/ r, owner @{HOME}/ r,
@ -118,7 +200,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r, owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
owner @{user_config_dirs}/ r, owner @{user_config_dirs}/ r,
owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix-wayland-[0-9]*} r, owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]*} r,
owner @{user_config_dirs}/mimeapps.list{,.*} rw, owner @{user_config_dirs}/mimeapps.list{,.*} rw,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
@ -130,14 +212,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/ r, owner @{user_share_dirs}/ r,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
owner @{user_share_dirs}/applications/userapp-Firefox-??????.desktop{,.??????} rw,
/var/tmp/ r, /var/tmp/ r,
/tmp/ r, /tmp/ r,
owner /tmp/* rw, owner /tmp/* rw,
owner /tmp/firefox_*/ rw, owner /tmp/firefox_*/ rw,
owner /tmp/firefox_*/* rwk, owner /tmp/firefox_*/* rwk,
owner /tmp/firefox/ rw, owner /tmp/firefox{,-esr}/ rw,
owner /tmp/firefox/* rwk, owner /tmp/firefox{,-esr}/* rwk,
owner /tmp/mozilla_*/ rw, owner /tmp/mozilla_*/ rw,
owner /tmp/mozilla_*/* rw, owner /tmp/mozilla_*/* rw,
owner /tmp/Temp-*/ rw, owner /tmp/Temp-*/ rw,
@ -171,6 +254,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny owner @{PROC}/@{pid}/smaps r, deny owner @{PROC}/@{pid}/smaps r,
deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/statm r, deny owner @{PROC}/@{pid}/statm r,
@ -189,10 +273,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
deny /dev/shm/ r, deny /dev/shm/ r,
# Silencer # Silencer
deny /{usr/,}lib/firefox/** w, deny @{MOZ_LIBDIR}/** w,
deny capability sys_ptrace, deny capability sys_ptrace,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
deny owner @{HOME}/.* r, deny owner @{HOME}/.* r,
deny /tmp/MozillaUpdateLock-* w,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
@ -203,7 +288,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix, /{usr/,}bin/basename rix,
@ -221,6 +306,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/viewnior rPUx, /{usr/,}bin/viewnior rPUx,
/{usr/,}bin/vlc rPx, /{usr/,}bin/vlc rPx,
/{usr/,}bin/xarchiver rPx, /{usr/,}bin/xarchiver rPx,
/{usr/,}bin/evince rPx,
/usr/share/xfce4/exo/exo-compose-mail rPx, /usr/share/xfce4/exo/exo-compose-mail rPx,
owner @{HOME}/ r, owner @{HOME}/ r,
@ -230,6 +316,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
include if exists <local/firefox_open>
} }
include if exists <local/firefox> include if exists <local/firefox>

63
apparmor.d/profiles-a-f/engrampa
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile engrampa @{exec_path} { profile engrampa @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/X-strict>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
@ -17,6 +18,60 @@ profile engrampa @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-gtk>
include <abstractions/ibus>
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetId
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
dbus send bus=session path=/ca/desrt/dconf/Writer/user
interface=ca.desrt.dconf.Writer
member={Change,Notify}
peer=(name=ca.desrt.dconf),
dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
interface=org.gtk.Private.RemoteVolumeMonitor
member={IsSupported,List}
peer=(name=:*),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
dbus send bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member={ListMounts2,LookupMount}
peer=(name=:*),
dbus receive bus=session path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=Mounted
peer=(name=:*),
dbus send bus=session path=/org/gtk/vfs/Daemon
interface=org.gtk.vfs.Daemon
member=GetConnection
peer=(name=:*),
dbus receive bus=session path=/org/gtk/Application/anonymous
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/[0-9]*}
interface=org.gtk.Actions
member=DescribeAll
peer=(name=:*),
@{exec_path} mr, @{exec_path} mr,
@ -69,9 +124,12 @@ profile engrampa @{exec_path} {
/usr/share/**.desktop r, /usr/share/**.desktop r,
/usr/share/**/icons/**.png r, /usr/share/**/icons/**.png r,
/etc/magic r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/magic r, # gnome-tiny
@{run}/mount/utab r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@ -85,11 +143,11 @@ profile engrampa @{exec_path} {
/{usr/,}bin/geany rPx, /{usr/,}bin/geany rPx,
/{usr/,}bin/viewnior rPUx, /{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx, /{usr/,}bin/spacefm rPx,
/{usr/,}bin/ristretto rPUx,
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
@ -115,6 +173,7 @@ profile engrampa @{exec_path} {
# file_inherit # file_inherit
owner @{HOME}/.xsession-errors w, owner @{HOME}/.xsession-errors w,
include if exists <local/engrampa_open>
} }
include if exists <local/engrampa> include if exists <local/engrampa>

58
apparmor.d/profiles-m-r/qbittorrent
View file

@ -6,11 +6,15 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{FIREFOX_BIN} = /{usr/,}lib/firefox{,-esr}/firefox
@{FIREFOX_BIN} += /opt/firefox{,-esr}/firefox
@{exec_path} = /{usr/,}bin/qbittorrent @{exec_path} = /{usr/,}bin/qbittorrent
profile qbittorrent @{exec_path} { profile qbittorrent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/X> include <abstractions/nameservice-strict>
include <abstractions/X-strict>
include <abstractions/gtk> include <abstractions/gtk>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
@ -20,21 +24,20 @@ profile qbittorrent @{exec_path} {
include <abstractions/qt5> include <abstractions/qt5>
include <abstractions/qt5-compose-cache-write> include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write> include <abstractions/qt5-settings-write>
include <abstractions/dconf-write>
include <abstractions/ibus> include <abstractions/ibus>
include <abstractions/dconf-write>
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/dbus-session-strict> include <abstractions/dbus-session-strict>
include <abstractions/dbus-accessibility-strict> include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict> include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-gtk> include <abstractions/dbus-gtk>
include <abstractions/wayland>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/wayland>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
signal (send) set=(term, kill) peer=qbittorrent//python3, signal send set=(term, kill) peer=qbittorrent//python3,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -43,67 +46,67 @@ profile qbittorrent @{exec_path} {
network netlink dgram, network netlink dgram,
network netlink raw, network netlink raw,
dbus (send) bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Introspectable interface=org.freedesktop.DBus.Introspectable
member=Introspect member=Introspect
peer=(name=org.kde.StatusNotifierWatcher), peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member=Get
peer=(name=org.kde.StatusNotifierWatcher), peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierWatcher dbus send bus=session path=/StatusNotifierWatcher
interface=org.kde.StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher
member=RegisterStatusNotifierItem member=RegisterStatusNotifierItem
peer=(name=org.kde.StatusNotifierWatcher), peer=(name=org.kde.StatusNotifierWatcher),
dbus (send) bus=session path=/StatusNotifierItem dbus send bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem interface=org.kde.StatusNotifierItem
member={NewToolTip,NewIcon} member={NewToolTip,NewIcon}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/StatusNotifierItem dbus receive bus=session path=/StatusNotifierItem
interface=org.kde.StatusNotifierItem interface=org.kde.StatusNotifierItem
member=Activate member=Activate
peer=(name=:*), peer=(name=:*),
dbus (receive) bus=session path=/StatusNotifierItem dbus receive bus=session path=/StatusNotifierItem
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*), peer=(name=:*),
dbus (receive) bus=session path=/MenuBar dbus receive bus=session path=/MenuBar
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll member=GetAll
peer=(name=:*), peer=(name=:*),
dbus (send) bus=session path=/MenuBar dbus send bus=session path=/MenuBar
interface=com.canonical.dbusmenu interface=com.canonical.dbusmenu
member=ItemsPropertiesUpdated member=ItemsPropertiesUpdated
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (receive) bus=session path=/MenuBar dbus receive bus=session path=/MenuBar
interface=com.canonical.dbusmenu interface=com.canonical.dbusmenu
member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event} member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
peer=(name=:*), peer=(name=:*),
dbus (send) bus=session path=/org/freedesktop/DBus dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={RequestName,ReleaseName} member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket interface=org.a11y.atspi.Socket
member=Embed member=Embed
peer=(name=org.a11y.atspi.Registry), peer=(name=org.a11y.atspi.Registry),
dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Set member=Set
peer=(name=:*), peer=(name=:*),
dbus (bind) bus=session dbus bind bus=session
name=org.kde.StatusNotifierItem-*, name=org.kde.StatusNotifierItem-*,
owner /tmp/dbus-[0-9a-zA-Z]* rw, owner /tmp/dbus-[0-9a-zA-Z]* rw,
@ -167,9 +170,6 @@ profile qbittorrent @{exec_path} {
# file_inherit # file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
# X-tiny
owner @{run}/user/@{uid}/ICEauthority r,
# gnome-tiny # gnome-tiny
/usr/share/gvfs/remote-volume-monitors/{,*} r, /usr/share/gvfs/remote-volume-monitors/{,*} r,
/usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -186,19 +186,29 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/viewnior rPUx, /{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx, /{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx, /{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/nautilus rPx, /{usr/,}bin/nautilus rPx,
@{FIREFOX_BIN} rPx,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>
include <abstractions/dbus-gtk> include <abstractions/dbus-gtk>
dbus (send) bus=session path=/org/gnome/{Nautilus,Totem,gedit} dbus send bus=session path=/org/gnome/{Nautilus,Totem,gedit}
interface=org.freedesktop.Application interface=org.freedesktop.Application
member=Open member=Open
peer=(name="org.gnome.{Nautilus,Totem,gedit}"), peer=(name="org.gnome.{Nautilus,Totem,gedit}"),
dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.a11y.atspi.Socket
member=Embed
peer=(name=org.a11y.atspi.Registry),
dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
interface=org.freedesktop.DBus.Properties
member=Set
peer=(name=:*),
/{usr/,}bin/xdg-open mr, /{usr/,}bin/xdg-open mr,
# Allowed apps to open # Allowed apps to open
@ -210,8 +220,8 @@ profile qbittorrent @{exec_path} {
/{usr/,}bin/viewnior rPUx, /{usr/,}bin/viewnior rPUx,
/{usr/,}bin/qpdfview rPx, /{usr/,}bin/qpdfview rPx,
/{usr/,}bin/ebook-viewer rPx, /{usr/,}bin/ebook-viewer rPx,
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/engrampa rPx, /{usr/,}bin/engrampa rPx,
@{FIREFOX_BIN} rPx,
/{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/{ba,da,}sh rix,
/{usr/,}bin/{g,m,}awk rix, /{usr/,}bin/{g,m,}awk rix,