feat(tunable): add the new version variable.

This commit is contained in:
Alexandre Pujol 2024-09-05 14:05:35 +01:00
parent a93400280e
commit 35dcde9d90
Failed to generate hash of commit
13 changed files with 25 additions and 19 deletions

View file

@ -14,7 +14,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gio @{exec_path} = @{bin}/gio
@{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop @{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{exec_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-user> include <abstractions/app-launcher-user>

View file

@ -59,8 +59,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{lib}/gnome-session-check-accelerated-gles-helper rix, @{lib}/gnome-session-check-accelerated-gles-helper rix,
@{lib}/gnome-session-failed rix, @{lib}/gnome-session-failed rix,
@{lib}/gio-launch-desktop rCx -> open, @{lib}/gio-launch-desktop rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
/usr/share/dconf/profile/gdm r, /usr/share/dconf/profile/gdm r,
/usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter-dconf-defaults r,
@ -112,7 +112,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
@{bin}/env rix, @{bin}/env rix,
@{sh_path} r, @{sh_path} r,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
@{lib}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr,
@{lib}/** PUx, @{lib}/** PUx,

View file

@ -184,9 +184,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{lib}/mutter-x11-frames rPx, @{lib}/mutter-x11-frames rPx,
#aa:exec polkit-agent-helper #aa:exec polkit-agent-helper
@{sh_path} rCx -> shell, @{sh_path} rCx -> shell,
@{lib}/gio-launch-desktop rCx -> open, @{lib}/gio-launch-desktop rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
# nm-openvpn-auth-dialog # nm-openvpn-auth-dialog
@{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
@ -409,7 +409,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
network inet stream, network inet stream,
network unix stream, network unix stream,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
@{lib}/gio-launch-desktop mr, @{lib}/gio-launch-desktop mr,
@{lib}/** PUx, @{lib}/** PUx,

View file

@ -20,7 +20,7 @@ profile xfce-panel @{exec_path} {
@{bin}/exo-open rix, @{bin}/exo-open rix,
@{bin}/xfce4-mime-helper rix, @{bin}/xfce4-mime-helper rix,
@{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix, @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 rix,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rix,
@{lib}/gio-launch-desktop rix, @{lib}/gio-launch-desktop rix,
@{bin}/sudo rCx -> root, @{bin}/sudo rCx -> root,

View file

@ -19,10 +19,10 @@ profile exo-open @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{lib}/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx, @{lib}/@{multiarch}/xfce4/exo-@{version}/exo-helper-@{version} rPx,
# It looks like gio-launch-desktop decides what app should be opened # It looks like gio-launch-desktop decides what app should be opened
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rPx,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

View file

@ -63,7 +63,7 @@ profile gsmartcontrol @{exec_path} {
# The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
# root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
# hence this behavior should be blocked. # hence this behavior should be blocked.
deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx, deny @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rx,
profile dbus { profile dbus {

View file

@ -40,8 +40,8 @@ profile gtk-youtube-viewer @{exec_path} {
@{lib}/firefox/firefox rPx, @{lib}/firefox/firefox rPx,
@{bin}/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
owner @{user_config_dirs}/youtube-viewer/{,*} rw, owner @{user_config_dirs}/youtube-viewer/{,*} rw,

View file

@ -95,7 +95,7 @@ profile jdownloader @{exec_path} {
# To open a web browser for CAPTCHA # To open a web browser for CAPTCHA
@{bin}/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
profile open { profile open {
@ -103,7 +103,7 @@ profile jdownloader @{exec_path} {
include <abstractions/xdg-open> include <abstractions/xdg-open>
@{bin}/xdg-open mr, @{bin}/xdg-open mr,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/{m,g,}awk rix, @{bin}/{m,g,}awk rix,

View file

@ -23,7 +23,7 @@ profile orage @{exec_path} {
@{bin}/xdg-open rCx -> open, @{bin}/xdg-open rCx -> open,
@{bin}/exo-open rCx -> open, @{bin}/exo-open rCx -> open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
owner @{user_config_dirs}/orage/ rw, owner @{user_config_dirs}/orage/ rw,
owner @{user_config_dirs}/orage/* rw, owner @{user_config_dirs}/orage/* rw,

View file

@ -33,7 +33,7 @@
# Open # Open
@{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open @{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop @{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
# File explorers # File explorers
@{file_explorers_path} = @{bin}/@{file_explorers_names} @{file_explorers_path} = @{bin}/@{file_explorers_names}

View file

@ -61,6 +61,9 @@
@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},} @{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
@{group}=@{user} @{group}=@{user}
# Semantic version
@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},}
# Shortcut for PCI device # Shortcut for PCI device
@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}

View file

@ -135,5 +135,5 @@ title: Variables References
| Shells path | `@{shells_path}` | `@{bin}/@{shells}` | | Shells path | `@{shells_path}` | `@{bin}/@{shells}` |
| Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) | | Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) |
| Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` | | Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` |
| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop` | Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop @{lib}/gio-launch-desktop`
| All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11) | All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11)

View file

@ -33,6 +33,7 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{ return &AppArmorProfileFile{
Preamble: Rules{ Preamble: Rules{
&Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
@ -40,11 +41,13 @@ func DefaultTunables() *AppArmorProfileFile {
&Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true}, &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true}, &Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
&Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true}, &Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true},
&Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true}, &Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true},
&Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true},
&Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true},
&Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true},
&Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true},
}, },
} }
} }