From 52e52f06dbdf3ad8d3fe2cda68217093ed555a48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 8 Dec 2023 17:53:51 +0000 Subject: [PATCH] feat(abs): unify app launcher abstraction. --- apparmor.d/abstractions/app-launcher-root | 8 +-- apparmor.d/abstractions/app-launcher-user | 55 +++++----------- apparmor.d/abstractions/app-open | 72 +++++++++++++++++++++ apparmor.d/groups/children/child-open | 77 +++-------------------- 4 files changed, 98 insertions(+), 114 deletions(-) create mode 100644 apparmor.d/abstractions/app-open diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 541e90fe..acc16e55 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -1,16 +1,16 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2022 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - # Root app location + @{bin}/* rPUx, + /usr/local/{s,}bin/* rPUx, + @{bin}/ r, - @{bin}/[a-z0-9]* rPUx, / r, /usr/ r, /usr/local/{s,}bin/ r, - /usr/local/{s,}bin/[a-z0-9]* rPUx, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 1dd9c724..93efa906 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -1,50 +1,25 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2022 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - # User app location - / r, - /{usr/,}bin/ r, - /{usr/,}bin/[a-zA-Z0-9]* rPUx, - /usr/ r, - /usr/local/bin/ r, - /usr/local/bin/[a-zA-Z0-9]* rPUx, + @{bin}/* rPUx, + /opt/*/** rPUx, + /usr/share/*/* rPUx, + /usr/local/bin/* rPUx, - # All apps in opt - /opt/*/ r, - /opt/*/[a-zA-Z0-9]* rPUx, + # Browsers + @{brave_path} rPx, + @{chrome_path} rPx, + @{chromium_path} rPx, + @{firefox_path} rPx, + @{opera_path} rPx, - # Codium - /usr/share/codium/codium rPUx, - - # Firefox - @{bin}/firefox{,.sh,-esr,-bin} rPx, - @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, - /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, - - # Thunderbird - @{bin}/thunderbird{,.sh,-esr,-bin} rPx, - @{lib}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx, - /opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin} rPx, - - # Brave - /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx, - - # Chromium - @{lib}/chromium/chromium rPx, - - # Chrome - /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx, - - # Opera - @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, - - # Discord - /usr/share/ r, - /usr/share/discord/ r, - /usr/share/discord/Discord rPx, + @{bin}/ r, + / r, + /usr/ r, + /usr/local/bin/ r, include if exists \ No newline at end of file diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open new file mode 100644 index 00000000..5a153d2c --- /dev/null +++ b/apparmor.d/abstractions/app-open @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Instead of allowing the run of all software in @{bin}/, @{lib} the purpose of +# this abstraction is to list all GUI program that can open resources. + +# Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail +# should be present here. Until this day, this profile will be a controlled mess. + + # Sandbox managers + @{bin}/bwrap rPUx, + @{bin}/firejail rPUx, + @{bin}/flatpak rPUx, + @{bin}/snap rPUx, + + # Files explorer + @{bin}/nautilus rPx, + + # Browsers + @{brave_path} rPx, + @{chrome_path} rPx, + @{chromium_path} rPx, + @{firefox_path} rPx, + @{opera_path} rPx, + + # Text editors + @{bin}/code rPUx, + @{bin}/gedit rPUx, + @{bin}/gnome-text-editor rPUx, + /usr/share/code/{bin/,}code rPUx, + + # Others + @{bin}/*{F,f}oliate rPUx, + @{bin}/blueman-tray rPx, + @{bin}/discord{,-ptb} rPx, + @{bin}/draw.io rPUx, + @{bin}/dropbox rPx, + @{bin}/element-desktop rPx, + @{bin}/engrampa rPx, + @{bin}/eog rPUx, + @{bin}/evince rPx, + @{bin}/extension-manager rPx, + @{bin}/file-roller rPUx, + @{bin}/filezilla rPx, + @{bin}/flameshot rPx, + @{bin}/flatpak rPUx, + @{bin}/geany rPx, + @{bin}/gimp* rPUx, + @{bin}/gnome-calculator rPUx, + @{bin}/gnome-disk-image-mounter rPx, + @{bin}/gnome-disks rPx, + @{bin}/gwenview rPUx, + @{bin}/kgx rPx, + @{bin}/okular rPx, + @{bin}/qbittorrent rPx, + @{bin}/qpdfview rPx, + @{bin}/smplayer rPx, + @{bin}/spacefm rPx, + @{bin}/steam-runtime rPUx, + @{bin}/teams rPUx, + @{bin}/telegram-desktop rPx, + @{bin}/thunderbird rPx, + @{bin}/transmission-gtk rPx, + @{bin}/viewnior rPUx, + @{bin}/vlc rPUx, + @{bin}/xarchiver rPx, + @{bin}/xbrlapi rPx, + @{bin}/yelp rPUx, + @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx, + + include if exists diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 35f18157..377986f1 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -2,9 +2,8 @@ # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-open" exec transitions -# from other profiles. +# This profile is designed to be used in a child profile to limit what +# confined application can invoke via xdg-open helper. # Instead of allowing the run of all software in @{bin}/, the purpose of # this profile is to list all GUI program that can open resources. @@ -12,6 +11,10 @@ # Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail # should be present here. Until this day, this profile will be a controlled mess. +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> child-open" exec transitions +# from other profiles. + abi , include @@ -20,6 +23,7 @@ include @{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop profile child-open { include + include include include include @@ -32,73 +36,6 @@ profile child-open { @{bin}/basename rix, @{bin}/readlink rix, - # Sandbox managers - @{bin}/bwrap rPUx, - @{bin}/firejail rPUx, - @{bin}/flatpak rPUx, - @{bin}/snap rPUx, - - # Files explorer - @{bin}/nautilus rPx, - - # Firefox - @{bin}/firefox{,.sh,-esr,-bin} rPx, - @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, - /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin} rPx, - # Brave - /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin} rPx, - # Chromium - @{bin}/chromium rPx, - @{lib}/chromium/chromium rPx, - # Chrome - /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable} rPx, - # Opera - @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer} rPx, - - # Text editors - @{bin}/code rPUx, - @{bin}/gedit rPUx, - @{bin}/gnome-text-editor rPUx, - /usr/share/code/{bin/,}code rPUx, - - # Others - @{bin}/*{F,f}oliate rPUx, - @{bin}/blueman-tray rPx, - @{bin}/discord{,-ptb} rPx, - @{bin}/draw.io rPUx, - @{bin}/dropbox rPx, - @{bin}/element-desktop rPx, - @{bin}/engrampa rPx, - @{bin}/eog rPUx, - @{bin}/evince rPx, - @{bin}/extension-manager rPx, - @{bin}/file-roller rPUx, - @{bin}/filezilla rPx, - @{bin}/flameshot rPx, - @{bin}/geany rPx, - @{bin}/gimp* rPUx, - @{bin}/gnome-calculator rPUx, - @{bin}/gnome-disk-image-mounter rPx, - @{bin}/gnome-disks rPx, - @{bin}/gwenview rPUx, - @{bin}/kgx rPx, - @{bin}/okular rPx, - @{bin}/qbittorrent rPx, - @{bin}/qpdfview rPx, - @{bin}/smplayer rPx, - @{bin}/spacefm rPx, - @{bin}/steam-runtime rPUx, - @{bin}/teams rPUx, - @{bin}/telegram-desktop rPx, - @{bin}/thunderbird rPx, - @{bin}/transmission-gtk rPx, - @{bin}/viewnior rPUx, - @{bin}/vlc rPUx, - @{bin}/xarchiver rPx, - @{bin}/xbrlapi rPx, - @{bin}/yelp rPUx, - @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx, - include if exists include if exists }