mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-29 22:35:15 +01:00
feat: remove unsuported profiles.
This commit is contained in:
Alexandre Pujol
parent
03753373a9
commit
2e69fa0a01
4 changed files with 0 additions and 377 deletions
|
|
@ -1,36 +0,0 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2016 Canonical Ltd.
|
||||
# Copyright (C) 2018 Software in the Public Interest, Inc.
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# Author: Bryan Quigley <bryan.quigley@canonical.com>
|
||||
# Rene Engelhard <rene@debian.org>
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile libreoffice-oosplash /usr/lib/libreoffice/program/oosplash flags=(complain) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/X>
|
||||
|
||||
/etc/libreoffice/ r,
|
||||
/etc/libreoffice/** r,
|
||||
/etc/passwd r,
|
||||
/etc/nsswitch.conf r,
|
||||
@{run}/nscd/passwd r,
|
||||
/sys/devices/{virtual,pci[0-9]*}/**/queue/rotational r, # for isRotational() in desktop/unx/source/pagein.c
|
||||
/usr/lib{,32,64}/ure/bin/javaldx rmpux,
|
||||
/usr/share/libreoffice/program/* r,
|
||||
/usr/lib/libreoffice/program/** r,
|
||||
/usr/lib/libreoffice/program/soffice.bin rmpx,
|
||||
/usr/lib/libreoffice/program/javaldx rmpux,
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
|
||||
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),
|
||||
unix peer=(addr=@/tmp/.X11-unix/* label=unconfined),
|
||||
}
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2016 Canonical Ltd.
|
||||
# Copyright (C) 2017 Software in the Public Interest, Inc.
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# Authors: Bryan Quigley <bryan.quigley@canonical.com>
|
||||
# Rene Engelhard <rene@debian.org>
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain) {
|
||||
include <abstractions/base>
|
||||
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/{usr/,}bin/sh rmix,
|
||||
/{usr/,}bin/bash rmix,
|
||||
/{usr/,}bin/dash rmix,
|
||||
/{usr/,}bin/sed rmix,
|
||||
/usr/bin/dirname rmix,
|
||||
/usr/bin/basename rmix,
|
||||
/{usr/,}bin/grep rmix,
|
||||
/{usr/,}bin/uname rmix,
|
||||
/usr/bin/xdg-open rPx,
|
||||
/usr/bin/xdg-email rPx,
|
||||
/dev/null rw,
|
||||
/usr/lib/libreoffice/program/uri-encode rmpux,
|
||||
/usr/share/libreoffice/share/config/* r,
|
||||
owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
|
||||
}
|
||||
|
||||
|
|
@ -1,273 +0,0 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2016 Canonical Ltd.
|
||||
# Copyright (C) 2018 Software in the Public Interest, Inc.
|
||||
# Copyright (C) 2021 Google LLC
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# Authors: Jonathan Davies <jonathan.davies@canonical.com>
|
||||
# Bryan Quigley <bryan.quigley@canonical.com>
|
||||
# Rene Engelhard <rene@debian.org>
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
# This profile should enable the average LibreOffice user to get their
|
||||
# work done while blocking some advanced usage
|
||||
# Namely not tested and likely not working : embedded plugins,
|
||||
# Using the LibreOffice SDK and other development tasks
|
||||
# Everything else should be working
|
||||
|
||||
#Defines all common supported file formats
|
||||
#Some obscure ones we're excluded (mostly input)
|
||||
|
||||
#Generic
|
||||
#.txt
|
||||
@{libreoffice_ext} = [tT][xX][tT]
|
||||
#All the open document format
|
||||
@{libreoffice_ext} += {,f,F}[oO][dDtT][tTsSpPbBgGfF]
|
||||
#.xml and xsl
|
||||
@{libreoffice_ext} += [xX][mMsS][lL]
|
||||
#.pdf
|
||||
@{libreoffice_ext} += [pP][dD][fF]
|
||||
#Unified office format
|
||||
@{libreoffice_ext} += [uU][oO][fFtTsSpP]
|
||||
#(x)htm(l)
|
||||
@{libreoffice_ext} += {,x,X}[hH][tT][mM]{,l,L}
|
||||
#.epub
|
||||
@{libreoffice_ext} += [eE][pP][uU][bB]
|
||||
#.ps (printing to file)
|
||||
@{libreoffice_ext} += [pP][sS]
|
||||
|
||||
#Images
|
||||
@{libreoffice_ext} += [jJ][pP][gG]
|
||||
@{libreoffice_ext} += [jJ][pP][eE][gG]
|
||||
@{libreoffice_ext} += [pP][nN][gG]
|
||||
@{libreoffice_ext} += [sS][vV][gG]
|
||||
@{libreoffice_ext} += [sS][vV][gG][zZ]99251
|
||||
@{libreoffice_ext} += [tT][iI][fF]
|
||||
@{libreoffice_ext} += [tT][iI][fF][fF]
|
||||
|
||||
#Writer
|
||||
@{libreoffice_ext} += [dD][oO][cCtT]{,x,X}
|
||||
@{libreoffice_ext} += [rR][tT][fF]
|
||||
|
||||
#Calc
|
||||
@{libreoffice_ext} += [xX][lL][sStT]{,x,X,m,M}
|
||||
@{libreoffice_ext} += [xX][lL][wW]
|
||||
#.dif dbf
|
||||
@{libreoffice_ext} += [dD][iIbB][fF]
|
||||
#.tsv .csv
|
||||
@{libreoffice_ext} += [cCtT][sS][vV]
|
||||
@{libreoffice_ext} += [sS][lL][kK]
|
||||
|
||||
#Impress/Draw
|
||||
@{libreoffice_ext} += [pP][pP][tTsS]{,x,X}
|
||||
@{libreoffice_ext} += [pP][oO][tT]{,m,M}
|
||||
#Photoshop
|
||||
@{libreoffice_ext} += [pP][sS][dD]
|
||||
|
||||
#Math
|
||||
@{libreoffice_ext} += [mM][mM][lL]
|
||||
|
||||
@{libo_user_dirs} = @{HOME} /mnt /media
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(complain) {
|
||||
#include <abstractions/private-files>
|
||||
|
||||
#include <abstractions/audio>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/cups-client>
|
||||
#include <abstractions/dbus>
|
||||
#include <abstractions/dbus-session>
|
||||
#include <abstractions/dbus-accessibility>
|
||||
#include <abstractions/dri-enumerate>
|
||||
#include <abstractions/mesa>
|
||||
#include <abstractions/ibus>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/gnome>
|
||||
# GnuPG1 only...
|
||||
# #include <abstractions/gnupg>
|
||||
#include <abstractions/python>
|
||||
#include <abstractions/p11-kit>
|
||||
|
||||
#include <abstractions/user-tmp>
|
||||
|
||||
#include <abstractions/opencl-intel>
|
||||
#include <abstractions/opencl-mesa>
|
||||
#include <abstractions/opencl-nvidia>
|
||||
|
||||
#List directories for file browser
|
||||
/ r,
|
||||
/**/ r,
|
||||
|
||||
owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
|
||||
owner @{libo_user_dirs}/**~lock.* rw, #lock file support
|
||||
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
|
||||
owner @{libo_user_dirs}/{,**/}lu????????{,?,??,???,????}.tmp rwk, #Temporary file used when saving
|
||||
owner @{libo_user_dirs}/{,**/}.directory r, #Read directory settings on KDE
|
||||
|
||||
# Settings
|
||||
/etc/libreoffice/ r,
|
||||
/etc/libreoffice/** r,
|
||||
|
||||
/etc/cups/ppd/*.ppd r,
|
||||
/etc/xml/catalog r, #exporting to .xhtml, for libxml2
|
||||
/proc/*/status r,
|
||||
|
||||
owner @{user_config_dirs}/libreoffice{,dev}/** rwk,
|
||||
owner @{user_config_dirs}/soffice.binrc rwl -> @{user_config_dirs}/#[0-9]*,
|
||||
owner @{user_config_dirs}/soffice.binrc.* rwl -> @{user_config_dirs}/#[0-9]*,
|
||||
owner @{user_config_dirs}/soffice.binrc.lock rwk,
|
||||
owner @{user_cache_dirs}/fontconfig/** rw,
|
||||
owner @{user_config_dirs}/gtk-???/bookmarks r, #Make bookmarks work
|
||||
|
||||
owner /{,var/}run/user/@{uid}/dconf/user rw,
|
||||
owner @{user_config_dirs}/dconf/user r,
|
||||
|
||||
# allow schema to be read
|
||||
/usr/share/glib-*/schemas/ r,
|
||||
/usr/share/glib-*/schemas/** r,
|
||||
|
||||
# bluetooth send to
|
||||
network bluetooth,
|
||||
|
||||
/{usr/,}bin/sh rmix,
|
||||
/{usr/,}bin/bash rmix,
|
||||
/{usr/,}bin/dash rmix,
|
||||
/{usr/,}bin/rm rmix, #deleting /tmp/psp1534203998 (printing to file)
|
||||
/usr/bin/bluetooth-sendto rmPUx,
|
||||
/usr/bin/lpr rmPUx,
|
||||
/usr/bin/paperconf rmix,
|
||||
/usr/bin/gpgconf rmix,
|
||||
/usr/bin/gpg rmCx -> gpg,
|
||||
/usr/bin/gpgsm rmCx -> gpg,
|
||||
/usr/bin/gpa rix,
|
||||
/usr/bin/seahorse rix,
|
||||
/usr/bin/kgpg rix,
|
||||
/usr/bin/kleopatra rix,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
/usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner rmPUx,
|
||||
owner @{user_cache_dirs}/gstreamer-???/** rw,
|
||||
unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined), #Gstreamer doesn't work without this
|
||||
|
||||
/usr/lib{,32,64}/jvm/ r,
|
||||
/usr/lib{,32,64}/jvm/** r,
|
||||
/usr/lib{,32,64}/jvm/**/jre/bin/java mix,
|
||||
/usr/lib{,32,64}/jvm/**/bin/java mix,
|
||||
# should be included in the jvm/** above but there it is
|
||||
# a symlink, so apparmor still doesn't allow it...
|
||||
/etc/java-??-openjdk/security/java.security r,
|
||||
/usr/lib/libreoffice/** rw,
|
||||
/usr/lib/libreoffice/**.so m,
|
||||
/usr/lib/libreoffice/program/soffice.bin mix,
|
||||
/usr/lib/libreoffice/program/xpdfimport px,
|
||||
/usr/lib/libreoffice/program/senddoc px,
|
||||
/usr/bin/xdg-open rPx,
|
||||
|
||||
/usr/share/java/**.jar r,
|
||||
/usr/share/hunspell/ r,
|
||||
/usr/share/hunspell/** r,
|
||||
/usr/share/hyphen/ r,
|
||||
/usr/share/hyphen/** r,
|
||||
/usr/share/mythes/ r,
|
||||
/usr/share/mythes/** r,
|
||||
/usr/share/liblangtag/ r,
|
||||
/usr/share/liblangtag/** r,
|
||||
/usr/share/libreoffice/ r,
|
||||
/usr/share/libreoffice/** r,
|
||||
/usr/share/yelp-xsl/xslt/mallard/** r,
|
||||
/usr/share/libexttextcat/* r,
|
||||
/usr/share/icu/** r,
|
||||
/usr/share/locale-bundle/* r,
|
||||
|
||||
/var/spool/libreoffice/ r,
|
||||
/var/spool/libreoffice/** rw,
|
||||
/var/cache/fontconfig/ rw,
|
||||
|
||||
#Likely moving to abstractions in the future
|
||||
owner @{HOME}/.icons/*/cursors/* r,
|
||||
/etc/fstab r, # Solid::DeviceNotifier::instance() TODO: deny?
|
||||
/usr/share/*-fonts/conf.avail/*.conf r,
|
||||
/usr/share/fonts-config/conf.avail/*.conf r,
|
||||
/{,var/}run/udev/data/+usb:* r, # Solid::Device::listFromQuery()
|
||||
/{,var/}run/udev/data/{c,b}*:* r, # Solid::Device::description(), Solid::Device::listFromQuery()
|
||||
@{PROC}/sys/kernel/random/boot_id r, # KRecentDocument::add() -> QSysInfo::bootUniqueId()
|
||||
|
||||
#To avoid "Unable to create io-slave." for file dialog
|
||||
owner /{,var/}run/user/@{uid}/#[0-9]* rw,
|
||||
#For KIO IO::Slave::createSlave()
|
||||
owner /{,var/}run/user/@{uid}/soffice.bin*.slave-socket wl -> /{,var/}run/user/@{uid}/#[0-9]*,
|
||||
|
||||
owner @{HOME}/.mozilla/firefox/profiles.ini r,
|
||||
owner @{HOME}/.mozilla/firefox/*/secmod.db r,
|
||||
# firefox < 58
|
||||
owner @{HOME}/.mozilla/firefox/*/cert8.db r,
|
||||
# firefox >= 58
|
||||
owner @{HOME}/.mozilla/firefox/*/cert9.db r,
|
||||
|
||||
owner @{user_share_dirs}/user-places.xbel r,
|
||||
|
||||
# there is abstractions/gnupg but that's just for gpg1...
|
||||
profile gpg {
|
||||
#include <abstractions/base>
|
||||
|
||||
/usr/bin/gpgconf mr,
|
||||
/usr/bin/gpg mr,
|
||||
/usr/bin/gpgsm mr,
|
||||
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/* r,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/random_seed rk,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/tofu.db rwk,
|
||||
}
|
||||
|
||||
# probably should become a subprofile like gpg above, but then it doesn't
|
||||
# work either as it tries to access stuff only allowed above...
|
||||
owner @{user_config_dirs}/kdeglobals r,
|
||||
/usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
|
||||
/usr/share/qt5/translations/* r,
|
||||
/usr/lib/*/qt5/plugins/** mr,
|
||||
/usr/share/plasma/look-and-feel/**/contents/defaults r,
|
||||
|
||||
# TODO: remove when rules are available in abstractions/kde
|
||||
owner @{user_cache_dirs}/ksycoca5_??_* r, # KDE System Configuration Cache
|
||||
owner @{user_config_dirs}/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
|
||||
owner @{user_config_dirs}/dolphinrc r, # settings used by KFileWidget
|
||||
owner @{user_config_dirs}/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
|
||||
owner @{user_config_dirs}/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
|
||||
owner @{user_config_dirs}/trashrc r, # user by KFileWidget
|
||||
/usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent
|
||||
|
||||
# TODO: remove when rules are available in abstractions/kde-write-icon-cache or similar
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw, # for KIconLoader
|
||||
|
||||
# TODO: remove when rules are available in abstractions/kdeframeworks5 or similar
|
||||
/usr/share/kservices5/*.protocol r,
|
||||
|
||||
# TODO: use qt5-settings-write abstraction when it is available
|
||||
owner @{user_config_dirs}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] rw,
|
||||
owner @{user_config_dirs}/QtProject.conf rw,
|
||||
owner @{user_config_dirs}/QtProject.conf.?????? l -> @{user_config_dirs}/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
|
||||
owner @{user_config_dirs}/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
|
||||
owner @{user_config_dirs}/QtProject.conf.lock rwk,
|
||||
|
||||
# TODO: use qt5-compose-cache-write abstraction when it is available
|
||||
owner @{user_cache_dirs}/qt_compose_cache_{little,big}_endian_* r,
|
||||
|
||||
# TODO: use recent-documents-write abstraction when it is available
|
||||
owner @{user_share_dirs}/RecentDocuments/** r,
|
||||
owner @{user_share_dirs}/RecentDocuments/*.desktop rwl -> @{user_share_dirs}/RecentDocuments/#[0-9]*,
|
||||
owner @{user_share_dirs}/RecentDocuments/#[0-9]* rw,
|
||||
owner @{user_share_dirs}/RecentDocuments/*.lock rwk,
|
||||
|
||||
# TODO: use kde-globals-write abstraction when it is available
|
||||
owner @{user_config_dirs}/kdeglobals rw,
|
||||
owner @{user_config_dirs}/kdeglobals.* rwl -> @{user_config_dirs}/#[0-9]*,
|
||||
owner @{user_config_dirs}/kdeglobals.lock rwk,
|
||||
}
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
# ------------------------------------------------------------------
|
||||
#
|
||||
# Copyright (C) 2016 Canonical Ltd.
|
||||
# Copyright (C) 2017 Software in the Public Interest, Inc.
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# Authors: Bryan Quigley <bryan.quigley@canonical.com>
|
||||
# Rene Engelhard <rene@debian.org>
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile libreoffice-xpdfimport /usr/lib/libreoffice/program/xpdfimport flags=(complain) {
|
||||
include <abstractions/base>
|
||||
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/usr/share/poppler/** r,
|
||||
/usr/share/libreoffice/share/config/* r,
|
||||
owner @{user_config_dirs}/libreoffice{,dev}/?/user/uno_packages/cache/log.txt rw,
|
||||
|
||||
/usr/lib/libreoffice/program/xpdfimport pxm,
|
||||
|
||||
#Uncomment for build testing (should be one directory <- of instdir)
|
||||
#/mnt/store/git/libo/** r,
|
||||
}
|
||||
|
||||
Loading…
Reference in a new issue