From 7a5096e7d8723e612407945fcd9998eeafe1c44a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Aug 2023 15:24:54 +0100 Subject: [PATCH] feat(profiles): add inital version of dolphin. --- apparmor.d/groups/kde/dolphin | 78 +++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 6 +-- 2 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/groups/kde/dolphin diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin new file mode 100644 index 00000000..aea1b9c1 --- /dev/null +++ b/apparmor.d/groups/kde/dolphin @@ -0,0 +1,78 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dolphin +profile dolphin @{exec_path} { + include + include + include + include + include + include + include + include + + network netlink raw, + + signal (send) set=(term) peer=kioslave5, + + @{exec_path} mr, + + @{bin}/konsole rPUx, + @{bin}/ldd rix, + @{lib}/kf5/kioslave5 rPx, + + /usr/share/kf5/kmoretools/{,**} r, + /usr/share/kio/{,**} r, + /usr/share/kservices5/{,**} r, + /usr/share/mime/ r, + + /etc/fstab r, + /etc/xdg/arkrc r, + /etc/machine-id r, + + # Full access to user's data + / r, + owner @{HOME}/{,**} rw, + + # Silence non user's data + deny /boot/{,**} r, + deny /opt/{,**} r, + deny /root/{,**} r, + deny /tmp/.* rw, + deny /tmp/.*/{,**} rw, + + owner @{user_share_dirs}/dolphin/ rw, + owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, + + owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/dolphinrc rw, + owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/dolphinrc.lock rwk, + owner @{user_config_dirs}/kde.org/#@{int} rw, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf rw, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.@{rand6} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, + + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, + + @{run}/mount/utab r, + owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/#@{int} rw, + + @{PROC}/sys/kernel/core_pattern r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/tty r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2b5e72c6..8c3f0d10 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -8,10 +8,6 @@ akonadi_agent_server complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain -akonadi_contacts_resource complain -akonadi_control complain -akonadi_davgroupware_resource complain -akonadi_etesync_resource complain akonadi_ews_resource complain akonadi_ewsmta_resource complain akonadi_followupreminder_agent complain @@ -85,9 +81,11 @@ cups-backend-usb complain cups-browsed complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain +DiscoverNotifier complain dkms attach_disconnected,complain docker-proxy complain dockerd attach_disconnected,complain +dolphin complain downloadhelper complain drkonqi complain e2fsck complain