feat(abs): unify app launcher abstraction.

2025-01-18 00:48:10 +01:00 · 2023-12-08 17:53:51 +00:00 · 2023-12-08 17:53:51 +00:00 · 52e52f06db
commit 52e52f06db
parent 9e402987c6
4 changed files with 98 additions and 114 deletions
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@ -1,16 +1,16 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2022 Mikhail Morfikov
-# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  abi <abi/3.0>,
-  # Root app location
+  @{bin}/*                      rPUx,
  /usr/local/{s,}bin/*          rPUx,
  @{bin}/                       r,
  @{bin}/[a-z0-9]*              rPUx,
  /                             r,
  /usr/                         r,
  /usr/local/{s,}bin/           r,
  /usr/local/{s,}bin/[a-z0-9]*  rPUx,
  include if exists <abstractions/app-launcher-root.d>
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -1,50 +1,25 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2022 Mikhail Morfikov
-# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  abi <abi/3.0>,
-  # User app location
+  @{bin}/*                      rPUx,
-  /                            r,
+  /opt/*/**                     rPUx,
-  /{usr/,}bin/                 r,
+  /usr/share/*/*                rPUx,
-  /{usr/,}bin/[a-zA-Z0-9]*     rPUx,
+  /usr/local/bin/*              rPUx,
  /usr/                        r,
  /usr/local/bin/              r,
  /usr/local/bin/[a-zA-Z0-9]*  rPUx,
-  # All apps in opt
+  # Browsers
-  /opt/*/                 r,
+  @{brave_path}                 rPx,
-  /opt/*/[a-zA-Z0-9]*    rPUx,
+  @{chrome_path}                rPx,
  @{chromium_path}              rPx,
  @{firefox_path}               rPx,
  @{opera_path}                 rPx,
-  # Codium
+  @{bin}/                       r,
-  /usr/share/codium/codium rPUx,
+  /                             r,
-
+  /usr/                         r,
-  # Firefox
+  /usr/local/bin/               r,
  @{bin}/firefox{,.sh,-esr,-bin}                                                 rPx,
  @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                         rPx,
  /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                           rPx,
  # Thunderbird
  @{bin}/thunderbird{,.sh,-esr,-bin}                                             rPx,
  @{lib}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin}                 rPx,
  /opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin}                   rPx,
  # Brave
  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx,
  # Chromium
  @{lib}/chromium/chromium                                                       rPx,
  # Chrome
  /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable}  rPx,
  # Opera
  @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}          rPx,
  # Discord
  /usr/share/                r,
  /usr/share/discord/        r,
  /usr/share/discord/Discord rPx,
  include if exists <abstractions/app-launcher-user.d>
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@ -0,0 +1,72 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Instead of allowing the run of all software in @{bin}/, @{lib} the purpose of
 # this abstraction is to list all GUI program that can open resources.
 # Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
 # should be present here. Until this day, this profile will be a controlled mess.
  # Sandbox managers
  @{bin}/bwrap                  rPUx,
  @{bin}/firejail               rPUx,
  @{bin}/flatpak                rPUx,
  @{bin}/snap                   rPUx,
  # Files explorer
  @{bin}/nautilus               rPx,
  # Browsers
  @{brave_path}                 rPx,
  @{chrome_path}                rPx,
  @{chromium_path}              rPx,
  @{firefox_path}               rPx,
  @{opera_path}                 rPx,
  # Text editors
  @{bin}/code                   rPUx,
  @{bin}/gedit                  rPUx,
  @{bin}/gnome-text-editor      rPUx,
  /usr/share/code/{bin/,}code   rPUx,
  # Others
  @{bin}/*{F,f}oliate           rPUx,
  @{bin}/blueman-tray           rPx,
  @{bin}/discord{,-ptb}         rPx,
  @{bin}/draw.io                rPUx,
  @{bin}/dropbox                rPx,
  @{bin}/element-desktop        rPx,
  @{bin}/engrampa               rPx,
  @{bin}/eog                    rPUx,
  @{bin}/evince                 rPx,
  @{bin}/extension-manager      rPx,
  @{bin}/file-roller            rPUx,
  @{bin}/filezilla              rPx,
  @{bin}/flameshot              rPx,
  @{bin}/flatpak                rPUx,
  @{bin}/geany                  rPx,
  @{bin}/gimp*                  rPUx,
  @{bin}/gnome-calculator       rPUx,
  @{bin}/gnome-disk-image-mounter rPx,
  @{bin}/gnome-disks            rPx,
  @{bin}/gwenview               rPUx,
  @{bin}/kgx                    rPx,
  @{bin}/okular                 rPx,
  @{bin}/qbittorrent            rPx,
  @{bin}/qpdfview               rPx,
  @{bin}/smplayer               rPx,
  @{bin}/spacefm                rPx,
  @{bin}/steam-runtime          rPUx,
  @{bin}/teams                  rPUx,
  @{bin}/telegram-desktop       rPx,
  @{bin}/thunderbird            rPx,
  @{bin}/transmission-gtk       rPx,
  @{bin}/viewnior               rPUx,
  @{bin}/vlc                    rPUx,
  @{bin}/xarchiver              rPx,
  @{bin}/xbrlapi 	            rPx,
  @{bin}/yelp                   rPUx,
  @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx,
  include if exists <abstractions/app-open.d>
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -2,9 +2,8 @@
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-# Note: This profile does not specify an attachment path because it is
+# This profile is designed to be used in a child profile to limit what
-# intended to be used only via "Px -> child-open" exec transitions
+# confined application can invoke via xdg-open helper.
 # from other profiles. 
 # Instead of allowing the run of all software in @{bin}/, the purpose of
 # this profile is to list all GUI program that can open resources.
@ -12,6 +11,10 @@
 # Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
 # should be present here. Until this day, this profile will be a controlled mess.
 # Note: This profile does not specify an attachment path because it is
 # intended to be used only via "Px -> child-open" exec transitions
 # from other profiles. 
 abi <abi/3.0>,
 include <tunables/global>
@ -20,6 +23,7 @@ include <tunables/global>
@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
 profile child-open {
  include <abstractions/base>
  include <abstractions/app-open>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/vulkan>
@ -32,73 +36,6 @@ profile child-open {
  @{bin}/basename          rix,
  @{bin}/readlink          rix,
  # Sandbox managers
  @{bin}/bwrap            rPUx,
  @{bin}/firejail         rPUx,
  @{bin}/flatpak          rPUx,
  @{bin}/snap             rPUx,
  # Files explorer
  @{bin}/nautilus          rPx,
  # Firefox
  @{bin}/firefox{,.sh,-esr,-bin}                                                 rPx,
  @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                         rPx,
  /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                           rPx,
  # Brave
  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin}          rPx,
  # Chromium
  @{bin}/chromium                                                                rPx,
  @{lib}/chromium/chromium                                                       rPx,
  # Chrome
  /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable}  rPx,
  # Opera
  @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}          rPx,
  # Text editors
  @{bin}/code                  rPUx,
  @{bin}/gedit                 rPUx,
  @{bin}/gnome-text-editor     rPUx,
  /usr/share/code/{bin/,}code  rPUx,
  # Others
  @{bin}/*{F,f}oliate     rPUx,
  @{bin}/blueman-tray      rPx,
  @{bin}/discord{,-ptb}    rPx,
  @{bin}/draw.io          rPUx,
  @{bin}/dropbox           rPx,
  @{bin}/element-desktop   rPx,
  @{bin}/engrampa          rPx,
  @{bin}/eog              rPUx,
  @{bin}/evince            rPx,
  @{bin}/extension-manager rPx,
  @{bin}/file-roller      rPUx,
  @{bin}/filezilla         rPx,
  @{bin}/flameshot         rPx,
  @{bin}/geany             rPx,
  @{bin}/gimp*            rPUx,
  @{bin}/gnome-calculator rPUx,
  @{bin}/gnome-disk-image-mounter rPx,
  @{bin}/gnome-disks       rPx,
  @{bin}/gwenview         rPUx,
  @{bin}/kgx               rPx,
  @{bin}/okular            rPx,
  @{bin}/qbittorrent       rPx,
  @{bin}/qpdfview          rPx,
  @{bin}/smplayer          rPx,
  @{bin}/spacefm           rPx,
  @{bin}/steam-runtime    rPUx,
  @{bin}/teams            rPUx,
  @{bin}/telegram-desktop  rPx,
  @{bin}/thunderbird       rPx,
  @{bin}/transmission-gtk  rPx,
  @{bin}/viewnior         rPUx,
  @{bin}/vlc              rPUx,
  @{bin}/xarchiver         rPx,
  @{bin}/xbrlapi 	         rPx,
  @{bin}/yelp             rPUx,
  @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
  include if exists <usr/child-open.d>
  include if exists <local/child-open>
 }