feat(tunable): add @{editor_path} & @{pager_path}.

2024-11-14 23:43:56 +01:00 · 2024-09-08 13:25:49 +01:00 · 2024-09-08 13:25:49 +01:00 · 2af1d06f18
commit 2af1d06f18
parent 4f310b8802
35 changed files with 63 additions and 124 deletions
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@ -45,9 +45,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{coreutils_path}      rix,
  @{shells_path}         rix,

-  @{bin}/less            rPx -> child-pager,
-  @{bin}/more            rPx -> child-pager,
-  @{bin}/pager           rPx -> child-pager,
+  @{pager_path}          rPx -> child-pager,

 #   @{open_path}           rPx -> child-open,

--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -99,11 +99,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /usr/share/language-tools/language-options            rPx,

  # For editing the sources.list file
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
+  @{editor_path} rCx -> editor,

  # For changelogs
-  @{bin}/sensible-pager  rCx -> pager,
+  @{pager_path}  rCx -> pager,

  #aa:only whonix
  @{lib}/uwt/uwtwrapper rix,
@ -168,8 +167,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {

    @{bin}/                      r,
    @{sh_path}                   rix,
-    @{bin}/less                  rix,
-    @{bin}/sensible-pager         mr,
+    @{pager_path}               rmix,
    @{bin}/which{,.debianutils}  rix,

    /root/ r,  # For shell pwd
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@ -28,7 +28,7 @@ profile apt-listchanges @{exec_path} {
  #  shared object file): ignored.
  @{bin}/dpkg-deb       rpx,
  #
-  @{bin}/sensible-pager rCx -> pager,
+  @{pager_path}        rCx -> pager,
  # Send results using email
  @{bin}/exim4         rPx,

@ -83,12 +83,11 @@ profile apt-listchanges @{exec_path} {
    capability dac_read_search,
    #capability sys_tty_config,

-    @{bin}/sensible-pager mr,
+    @{pager_path}  mrix,

    @{bin}/           r,
    @{sh_path}        rix,
    @{bin}/which{,.debianutils}      rix,
-    @{bin}/less       rix,

    owner @{HOME}/.less* rw,

@ -98,6 +97,7 @@ profile apt-listchanges @{exec_path} {
          /tmp/ r,
    owner @{tmp}/apt-listchanges-tmp*.txt r,

+    include if exists <local/apt-listchanges_pager>
  }

  include if exists <local/apt-listchanges>
--- a/apparmor.d/groups/apt/aptitude
+++ b/apparmor.d/groups/apt/aptitude
@ -105,7 +105,7 @@ profile aptitude @{exec_path} flags=(complain) {
  owner @{user_cache_dirs}/aptitude/ rw,
  owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw,
  owner @{user_cache_dirs}/aptitude/metadata-download rwk,
-  @{bin}/sensible-pager rCx -> pager,
+  @{pager_path} rCx -> pager,

  # For aptitude-run-state-bundle
  owner @{tmp}/aptitudebug.*/ r,
@ -172,19 +172,18 @@ profile aptitude @{exec_path} flags=(complain) {
    include <abstractions/consoles>

    @{bin}/            r,
-    @{bin}/sensible-pager mr,
+    @{editor_path}  mrix,
    @{sh_path}       rix,

    @{bin}/which{,.debianutils}      rix,
-    @{bin}/less       rix,

    owner @{HOME}/.less* rw,
-
    owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw,

    # For shell pwd
    /root/ r,

+    include if exists <local/aptitude_pager>
  }

  include if exists <local/aptitude>
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -34,10 +34,7 @@ profile dpkg @{exec_path} {
  @{lib}/needrestart/dpkg-status rPx,
  /usr/share/debian-security-support/check-support-status.hook rPx,

-  @{bin}/pager       rPx -> child-pager,
-  @{bin}/less        rPx -> child-pager,
-  @{bin}/more        rPx -> child-pager,
-  @{bin}/diff        rPx -> child-pager,
+  @{pager_path}      rPx -> child-pager,

  # Package maintainer's scripts
  # Move it to a child profile once more transitions will be available
--- a/apparmor.d/groups/apt/dpkg-query
+++ b/apparmor.d/groups/apt/dpkg-query
@ -16,9 +16,7 @@ profile dpkg-query @{exec_path} {

  @{sh_path}        rix,

-  @{bin}/pager      rPx -> child-pager,
-  @{bin}/less       rPx -> child-pager,
-  @{bin}/more       rPx -> child-pager,
+  @{pager_path}     rPx -> child-pager,

  /var/lib/dpkg/** r,

--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -47,10 +47,8 @@ profile reportbug @{exec_path} {
  @{bin}/dlocate          rPx,
  @{bin}/dpkg             rPx -> child-dpkg,
  @{bin}/dpkg-query       rpx,
-  @{bin}/less             rPx -> child-pager,
  @{bin}/lsb_release      rPx -> lsb_release,
-  @{bin}/more             rPx -> child-pager,
-  @{bin}/pager            rPx -> child-pager,
+  @{pager_path}           rPx -> child-pager,
  @{bin}/systemctl        rCx -> systemctl,
  @{lib}/firefox/firefox rPUx,  # App allowed to open
  /usr/share/bug/*       rPUx,
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -22,11 +22,7 @@ profile crontab @{exec_path} {
  @{exec_path} mr,

  @{sh_path}             rix,
-
-  # When editing the crontab file
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
-  @{bin}/nvim            rCx -> editor,
+  @{editor_path}         rCx -> editor,

  /etc/cron.{allow,deny} r,
  /etc/environment r,
--- a/apparmor.d/groups/network/nmcli
+++ b/apparmor.d/groups/network/nmcli
@ -15,9 +15,7 @@ profile nmcli @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less            rPx -> child-pager,
-  @{bin}/more            rPx -> child-pager,
-  @{bin}/pager           rPx -> child-pager,
+  @{pager_path}          rPx -> child-pager,

  owner @{HOME}/.nm-vpngate/*.ovpn r,
  owner @{HOME}/.cert/nm-openvpn/*.pem rw,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -196,10 +196,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {

    signal send set=cont peer=child-pager,

-    @{bin}/pager       rPx -> child-pager,
-    @{bin}/less        rPx -> child-pager,
-    @{bin}/more        rPx -> child-pager,
-    @{bin}/diff        rPx -> child-pager,
+    @{pager_path}      rPx -> child-pager,

    /etc/machine-id r,

--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -22,9 +22,7 @@ profile bootctl @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /{boot,efi}/ r,
  /{boot,efi}/EFI/{,**} r,
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -37,9 +37,7 @@ profile busctl @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/comm r,
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@ -22,9 +22,7 @@ profile coredumpctl @{exec_path} flags=(complain) {

  @{bin}/gdb   rCx -> gdb,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -25,9 +25,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@ -15,9 +15,7 @@ profile localectl @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /usr/share/kbd/keymaps/{,**} r,

--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@ -19,9 +19,7 @@ profile loginctl @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  include if exists <local/loginctl>
 }
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -35,9 +35,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /etc/udev/hwdb.bin r,
  /var/lib/dbus/machine-id r,
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -28,9 +28,7 @@ profile systemd-analyze @{exec_path} {

  @{lib}/systemd/system-environment-generators/* rix,

-  @{bin}/pager     rPx -> child-pager,
-  @{bin}/less      rPx -> child-pager,
-  @{bin}/more      rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
  @{bin}/man       rPx,

  /usr/ r,
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@ -14,9 +14,7 @@ profile systemd-cgls @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  @{sys}/fs/cgroup/{,**} r,

--- a/apparmor.d/groups/systemd/systemd-cgtop
+++ b/apparmor.d/groups/systemd/systemd-cgtop
@ -14,9 +14,7 @@ profile systemd-cgtop @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  @{sys}/fs/cgroup/{,**} r,

--- a/apparmor.d/groups/systemd/systemd-dissect
+++ b/apparmor.d/groups/systemd/systemd-dissect
@ -25,9 +25,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{bin}/fsck  rPx,
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  # Location of file system OS images
  @{user_build_dirs}/{,**} r,
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@ -13,9 +13,7 @@ profile systemd-mount @{exec_path} {

  @{exec_path} mr,

-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  @{sys}/bus/ r,
  @{sys}/class/ r,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -37,6 +37,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  @{sh_path}              rix,
  @{coreutils_path}       rix,
+  @{pager_path}           rPx -> child-pager,
  @{bin}/*-print-pci-ids  rix,
  @{bin}/alsactl          rPUx,
  @{bin}/ddcutil          rPx,
@ -44,16 +45,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/ethtool          rix,
  @{bin}/issue-generator  rPx,
  @{bin}/kmod             rPx,
-  @{bin}/less             rPx -> child-pager,
  @{bin}/logger           rix,
  @{bin}/ls               rix,
  @{bin}/lvm              rPx,
  @{bin}/mknod            rix,
-  @{bin}/more             rPx -> child-pager,
  @{bin}/multipath        rPx,
  @{bin}/nfsrahead        rix,
  @{bin}/nvidia-modprobe  rPx -> child-modprobe-nvidia,
-  @{bin}/pager            rPx -> child-pager,
  @{bin}/perl             rix,
  @{bin}/setfacl          rix,
  @{bin}/sg_inq           rix,
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@ -16,9 +16,7 @@ profile userdbctl @{exec_path} {

  @{exec_path} mr,
  
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /etc/shadow r,
  /etc/gshadow r,
--- a/apparmor.d/profiles-a-f/dmesg
+++ b/apparmor.d/profiles-a-f/dmesg
@ -18,9 +18,7 @@ profile dmesg @{exec_path} {
  @{exec_path} mr,

  @{sh_path}        rix,
-  @{bin}/less       rPx -> child-pager,
-  @{bin}/more       rPx -> child-pager,
-  @{bin}/pager      rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /usr/share/terminfo/** r,

--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -62,9 +62,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
  @{bin}/wc          rix,
  @{bin}/whoami      rix,

-  @{bin}/pager       rPx -> child-pager,
-  @{bin}/less        rPx -> child-pager,
-  @{bin}/more        rPx -> child-pager,
+  @{pager_path}      rPx -> child-pager,

  @{bin}/man         rPx,
  @{bin}/meld       rPUx,
@ -74,9 +72,7 @@ profile git @{exec_path} flags=(attach_disconnected) {

  @{bin}/gpg{,2}         rCx -> gpg,
  @{bin}/ssh             rCx -> ssh,
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim             rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
+  @{editor_path}         rCx -> editor,

  /usr/share/git{,-core}/{,**} r,
  /usr/share/libalternatives/{,**} r,
--- a/apparmor.d/profiles-g-l/gpo
+++ b/apparmor.d/profiles-g-l/gpo
@ -27,9 +27,7 @@ profile gpo @{exec_path} {
  @{bin}/ r,
  @{sh_path}        rix,
  @{bin}/uname      rix,
-  @{bin}/pager      rPx -> child-pager,
-  @{bin}/less       rPx -> child-pager,
-  @{bin}/more       rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /etc/inputrc r,

--- a/apparmor.d/profiles-m-r/mutt
+++ b/apparmor.d/profiles-m-r/mutt
@ -37,13 +37,8 @@ profile mutt @{exec_path} {
 
  @{bin}/w3m             rCx -> html-renderer,
  @{bin}/lynx            rCx -> html-renderer,
-  @{bin}/vim             rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
-  @{bin}/sensible-editor rCx -> editor,
-
-  @{bin}/less            rCx -> pager,
-  @{bin}/more            rCx -> pager,
-  @{bin}/pager           rCx -> pager,
+  @{editor_path}         rCx -> editor,
+  @{pager_path}          rCx -> pager,

  @{bin}/gpg{2,}         rCx -> gpg,
  @{bin}/gpgconf         rCx -> gpg,
@ -118,9 +113,7 @@ profile mutt @{exec_path} {
    include <abstractions/base>
    include <abstractions/consoles>

-    @{bin}/less  mr,
-    @{bin}/more  mr,
-    @{bin}/pager mr,
+    @{pager_path}  mr,

    /usr/share/terminfo/** r,
    /usr/share/file/misc/magic.mgc r,
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -46,7 +46,7 @@ profile pass @{exec_path} {
  @{bin}/gpg{2,}         rCx -> gpg,
  @{bin}/pkill           rCx -> pkill,
  @{bin}/qdbus           rCx -> qdbus,
-  @{bin}/vim{,.*}        rCx -> editor,
+  @{editor_path}         rCx -> editor,
  @{lib}/git{,-core}/git rCx -> git,
  @{bin}/wl-{copy,paste} rPx,
  @{bin}/xclip           rPx,
@ -112,10 +112,7 @@ profile pass @{exec_path} {
    @{bin}/git*              mrix,
    @{lib}/git{,-core}/git*  mrix,

-    @{bin}/pager         rPx -> child-pager,
-    @{bin}/less          rPx -> child-pager,
-    @{bin}/more          rPx -> child-pager,
-
+    @{pager_path}   rPx -> child-pager,
    @{bin}/gpg{2,}  rPx -> pass//gpg,

    /usr/share/git{,-core}/{,**} r,
--- a/apparmor.d/profiles-s-z/task
+++ b/apparmor.d/profiles-s-z/task
@ -23,10 +23,7 @@ profile task @{exec_path} {
  @{exec_path}            mr,

  @{sh_path}             rix,
-
-  @{bin}/vim             rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
-  @{bin}/sensible-editor rCx -> editor,
+  @{editor_path}         rCx -> editor,

  /usr/share/{doc/,}task{warrior,}/** r,

--- a/apparmor.d/profiles-s-z/udisksctl
+++ b/apparmor.d/profiles-s-z/udisksctl
@ -15,9 +15,7 @@ profile udisksctl @{exec_path} {

  @{sh_path}        rix,

-  @{bin}/pager rPx -> child-pager,
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,

  /dev/tty rw,

--- a/apparmor.d/profiles-s-z/vipw-vigr
+++ b/apparmor.d/profiles-s-z/vipw-vigr
@ -16,9 +16,7 @@ profile vipw-vigr @{exec_path} {
  @{exec_path} mr,

  @{sh_path}             rix,
-
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
+  @{editor_path}         rCx -> editor,

  /etc/login.defs r,

--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@ -34,10 +34,16 @@
@{emails_path} = @{thunderbird_path} @{bin}/@{emails_names}

 # Open
-@{open_path}  = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
-@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
+@{open_path}  = @{bin}/@{open_names}
+@{open_path} += @{lib}/gio-launch-desktop
@{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop

+# Editor
+@{editor_path} = @{bin}/@{editor_names}
+
+# Pager
+@{pager_path} = @{bin}/@{pager_names}
+
 # File explorers
@{file_explorers_path} = @{bin}/@{file_explorers_names}

--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@ -28,6 +28,15 @@
 # Python interpreters
@{python_name} = python{,3,3.[0-9],3.1[0-9]}

+# Open
+@{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop
+
+# Editor
+@{editor_names} = sensible-editor vim{,.*} nvim nano
+
+# Pager
+@{pager_names} = sensible-pager pager less more
+
 # Browsers

@{brave_name} = brave{,-beta,-dev,-bin}
--- a/docs/install.md
+++ b/docs/install.md
@ -148,9 +148,7 @@ The following desktop environments are supported:
        @{bin}/wl-{copy,paste} rPx,
        @{bin}/xclip           rPx,
        @{bin}/python3.@{int} rPx -> pass-import,  # pass-import
-            @{bin}/pager         rPx -> child-pager,
-            @{bin}/less          rPx -> child-pager,
-            @{bin}/more          rPx -> child-pager,
+            @{pager_path}        rPx -> child-pager,
        '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
        ```
        So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.