diff --git a/dists/ubuntu/abstractions/dbus-network-manager-strict b/dists/ubuntu/abstractions/dbus-network-manager-strict deleted file mode 100644 index dd43ca8b..00000000 --- a/dists/ubuntu/abstractions/dbus-network-manager-strict +++ /dev/null @@ -1,45 +0,0 @@ -# vim:syntax=apparmor - - dbus send - bus=system - path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.NetworkManager), - - dbus send - bus=system - path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member=GetDevices - peer=(name=org.freedesktop.NetworkManager), - - dbus send - bus=system - path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.NetworkManager), - - dbus send - bus=system - path=/org/freedesktop/NetworkManager/Devices/[0-9]* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.NetworkManager), - - dbus send - bus=system - path=/org/freedesktop/NetworkManager/Settings - interface=org.freedesktop.NetworkManager.Settings - member={GetDevices,ListConnections} - peer=(name=org.freedesktop.NetworkManager), - - dbus send - bus=system - path=/org/freedesktop/NetworkManager/Settings/[0-9]* - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings - peer=(name=org.freedesktop.NetworkManager), - - include if exists diff --git a/dists/ubuntu/abstractions/exo-open b/dists/ubuntu/abstractions/exo-open deleted file mode 100644 index d2d75391..00000000 --- a/dists/ubuntu/abstractions/exo-open +++ /dev/null @@ -1,74 +0,0 @@ -# vim:syntax=apparmor - -# This abstraction is designed to be used in a child profile to limit what -# confined application can invoke via exo-open helper. -# -# NOTE: most likely you want to use xdg-open abstraction instead for better -# portability across desktop environments, unless you are sure that confined -# application only uses /usr/bin/exo-open directly. -# -# Usage example: -# -# ``` -# profile foo /usr/bin/foo { -# ... -# /usr/bin/exo-open rPx -> foo//exo-open, -# ... -# } # end of main profile -# -# # out-of-line child profile -# profile foo//exo-open { -# include -# -# # needed for ubuntu-* abstractions -# include -# -# # Only allow to handle http[s]: and mailto: links -# include -# include -# -# # Add if accesibility access is considered as required -# # (for message boxe in case exo-open fails) -# include -# -# # < add additional allowed applications here > -# } - - include - include # for alert messages - include - include - include - - # Main executables - - /usr/bin/exo-open rix, - /usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix, - - # Other executables - - /{,usr/}bin/which rix, - - # Deny DBus - - # for GTK error message dialog, not required exo-open to work. - deny dbus send - bus=session - path=/org/gtk/vfs/mounttracker, - - # System files - - /etc/xdg/{,xdg-*/}xfce4/helpers.rc r, - /etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction? - /usr/share/sounds/freedesktop/** r, # for message box alert sound - /usr/share/xfce4/helpers/*.desktop r, - /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r, - - # User files - - owner @{PROC}/@{pid}/fd/ r, - owner @{HOME}/.config/xfce4/helpers.rc r, - owner @{HOME}/.local/share/xfce4/helpers/*.desktop r, - - # Include additions to the abstraction - include if exists \ No newline at end of file diff --git a/dists/ubuntu/abstractions/gio-open b/dists/ubuntu/abstractions/gio-open deleted file mode 100644 index 3c85a57e..00000000 --- a/dists/ubuntu/abstractions/gio-open +++ /dev/null @@ -1,57 +0,0 @@ -# vim:syntax=apparmor - -# This abstraction is designed to be used in a child profile to limit what -# confined application can invoke via gio helper. -# -# NOTE: most likely you want to use xdg-open abstraction instead for better -# portability across desktop environments, unless you are sure that confined -# application only uses /usr/bin/gio directly. -# -# Usage example: -# -# ``` -# profile foo /usr/bin/foo { -# ... -# /usr/bin/gio rPx -> foo//gio-open, -# ... -# } # end of main profile -# -# # out-of-line child profile -# profile foo//gio-open { -# include -# -# # needed for ubuntu-* abstractions -# include -# -# # Only allow to handle http[s]: and mailto: links -# include -# include -# -# # < add additional allowed applications here > -# } - - include - include - - # Main executables - - /usr/bin/gio rix, - /usr/bin/gio-launch-desktop ix, # for OpenSUSE - /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, - - # System files - - /etc/gnome/defaults.list r, - /usr/share/mime/* r, - /usr/share/{,*/}applications/{,**} r, - /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, - /var/lib/snapd/desktop/applications/{,**} r, - - # User files - - owner @{HOME}/.config/mimeapps.list r, - owner @{HOME}/.local/share/applications/{,*.desktop} r, - owner @{PROC}/@{pid}/fd/ r, - - # Include additions to the abstraction - include if exists diff --git a/dists/ubuntu/abstractions/gvfs-open b/dists/ubuntu/abstractions/gvfs-open deleted file mode 100644 index 14a50825..00000000 --- a/dists/ubuntu/abstractions/gvfs-open +++ /dev/null @@ -1,46 +0,0 @@ -# vim:syntax=apparmor - -# This abstraction is designed to be used in a child profile to limit what -# confined application can invoke via gvfs-open helper. -# -# NOTE: most likely you want to use xdg-open abstraction instead for better -# portability across desktop environments, unless you are sure that confined -# application only uses /usr/bin/gvfs-open directly. -# -# Usage example: -# -# ``` -# profile foo /usr/bin/foo { -# ... -# /usr/bin/gvfs-open rPx -> foo//gvfs-open, -# ... -# } # end of main profile -# -# # out-of-line child profile -# profile foo//gvfs-open { -# include -# -# # needed for ubuntu-* abstractions -# include -# -# # Only allow to handle http[s]: and mailto: links -# include -# include -# -# # < add additional allowed applications here > -# } -# ``` - - include - - # gvfs-open is deprecated, it launches gio open - include - - # Main executables - - /usr/bin/gvfs-open r, - /{,usr/}bin/dash mr, - - # Include additions to the abstraction - include if exists - diff --git a/dists/ubuntu/abstractions/hosts_access b/dists/ubuntu/abstractions/hosts_access deleted file mode 100644 index e5ea88c1..00000000 --- a/dists/ubuntu/abstractions/hosts_access +++ /dev/null @@ -1,17 +0,0 @@ -# vim:syntax=apparmor -# ------------------------------------------------------------------ -# -# Copyright (C) 2020 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - - abi , - - /etc/hosts.deny r, - /etc/hosts.allow r, - - include if exists diff --git a/dists/ubuntu/abstractions/kde-open5 b/dists/ubuntu/abstractions/kde-open5 deleted file mode 100644 index f72d2f88..00000000 --- a/dists/ubuntu/abstractions/kde-open5 +++ /dev/null @@ -1,104 +0,0 @@ -# vim:syntax=apparmor - -# This abstraction is designed to be used in a child profile to limit what -# confined application can invoke via kde-open5 helper. -# -# NOTE: most likely you want to use xdg-open abstraction instead for better -# portability across desktop environments, unless you are sure that confined -# application only uses /usr/bin/kde-open5 directly. -# -# Usage example: -# -# ``` -# profile foo /usr/bin/foo { -# ... -# /usr/bin/kde-open5 rPx -> foo//kde-open5, -# ... -# } # end of main profile -# -# # out-of-line child profile -# profile foo//kde-open5 { -# include -# -# # needed for ubuntu-* abstractions -# include -# -# # Only allow to handle http[s]: and mailto: links -# include -# include -# -# # Add if accesibility access is considered as required -# # (for message boxe in case exo-open fails) -# include -# -# # Add if audio support for message box is -# # considered as required. -# include if exists -# -# # < add additional allowed applications here > -# } -# ``` - - include # for alert messages - include - include - include - include - include - include - include - include # for IceProcessMessages () from libICE.so (called by libQtCore.so) - include - include - include - include - - # Main executables - - /usr/bin/kde-open5 rix, - /usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix, - - # DBus - - dbus - bus=session - interface=org.kde.KLauncher - member=start_service_by_desktop_path - peer=(name=org.kde.klauncher5), - - # Denied system files - - deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109 - - # libpcre2 on openSUSE tries to mmap() shared memory on directory. - # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html - # AppArmor does not allow to distinguish "real" file vs shared memory one, - # so we deny this path to protect from loading exploits from /tmp. - deny /tmp/#[0-9]*[0-9] m, - - # System files - - /dev/tty r, - /etc/xdg/accept-languages.codes r, - /etc/xdg/menus/{,*/} r, - /usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box - /usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box - /usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so - /usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE - /usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so - /usr/share/mime/ r, - /usr/share/mime/generic-icons r, - /usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction? - /usr/share/sounds/ r, - @{PROC}/sys/kernel/core_pattern r, - @{PROC}/sys/kernel/random/boot_id r, - - # User files - - owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so - owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13 - owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure) - owner @{HOME}/.cache/kio_http/ rw, - - # Include additions to the abstraction - include if exists diff --git a/dists/ubuntu/abstractions/xdg-open b/dists/ubuntu/abstractions/xdg-open deleted file mode 100644 index 3885dc0e..00000000 --- a/dists/ubuntu/abstractions/xdg-open +++ /dev/null @@ -1,84 +0,0 @@ -# vim:syntax=apparmor - -# This abstraction is designed to be used in a child profile to limit what -# confined application can invoke via xdg-open helper. xdg-open abstraction -# will allow to use gio-open, kde-open5 and other helpers of the different -# desktop environments. -# -# Usage example: -# -# ``` -# profile foo /usr/bin/foo { -# ... -# /usr/bin/xdg-open rPx -> foo//xdg-open, -# ... -# } # end of main profile -# -# # out-of-line child profile -# profile foo//xdg-open { -# include -# -# # Enable a11y support if considered required by -# # profile author for (rare) error message boxes. -# include -# -# # Enable gstreamer support if considered required by -# # profile author for (rare) error message boxes. -# include if exists -# -# # needed for ubuntu-* abstractions -# include -# -# # Only allow to handle http[s]: and mailto: links -# include -# include -# -# # < add additional allowed applications here > -# } -# ``` - - include - - # for openin with `exo-open` - include - - # for opening with `gio open ` - include - - # for opening with gvfs-open (deprecated) - include - - # for opening with kde-open5 - include - - # Main executables - - /{,usr/}bin/{b,d}ash mr, - /usr/bin/xdg-open r, - - # Additional executables - - /usr/bin/xdg-mime rix, - /{,usr/}bin/cut rix, # for xdg-mime - /{,usr/}bin/head rix, # for xdg-mime - /{,usr/}bin/sed rix, # for xdg-open - /{,usr/}bin/tr rix, # for xdg-mime - /{,usr/}bin/which rix, # for xdg-open - /{,usr/}bin/{grep,egrep} rix, # for xdg-open - - # System files - - /dev/pts/[0-9]* rw, - /dev/tty w, - /etc/gnome/defaults.list r, # for grep - /usr/share/applications/mimeinfo.cache r, # for grep - /usr/share/terminfo/s/screen r, # for bash on openSUSE - /usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime - /var/lib/menu-xdg/applications/ r, # for xdg-mime - - # Usr files - - owner @{HOME}/.local/share/applications/{,*.desktop} r, - - # Include additions to the abstraction - include if exists \ No newline at end of file