mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-13 05:35:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(abs): common/gnome: remove open_path from the abs, add bus accessibility.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-04 14:31:54 +01:00
parent 2ef038e8d9
commit 7b73adceeb
Failed to generate hash of commit
23 changed files with 44 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
apparmor.d/abstractions/common/gnome
View file

@ -4,24 +4,30 @@
# Minimal set of rules for all gnome based UI application. # Minimal set of rules for all gnome based UI application.
include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y> include <abstractions/bus/org.a11y>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gnome-strict> include <abstractions/gnome-strict>
include <abstractions/graphics> include <abstractions/graphics>
@{open_path} rPx -> child-open-help,
/usr/share/@{profile_name}/{,**} r, /usr/share/@{profile_name}/{,**} r,
/ r,
owner @{user_cache_dirs}/@{profile_name}/ rw, owner @{user_cache_dirs}/@{profile_name}/ rw,
owner @{user_cache_dirs}/@{profile_name}/** rwlk, owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**,
owner @{user_config_dirs}/@{profile_name}/ rw, owner @{user_config_dirs}/@{profile_name}/ rw,
owner @{user_config_dirs}/@{profile_name}/** rwlk, owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**,
owner @{user_share_dirs}/@{profile_name}/ rw, owner @{user_share_dirs}/@{profile_name}/ rw,
owner @{user_share_dirs}/@{profile_name}/** rwlk, owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,

4
apparmor.d/groups/browsers/epiphany
View file

@ -10,7 +10,6 @@ include <tunables/global>
profile epiphany @{exec_path} flags=(attach_disconnected) { profile epiphany @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-server> include <abstractions/audio-server>
include <abstractions/bus-accessibility>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.GeoClue2> include <abstractions/bus/org.freedesktop.GeoClue2>
include <abstractions/common/bwrap> include <abstractions/common/bwrap>
@ -33,6 +32,8 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open,
@{bin}/bwrap rix, @{bin}/bwrap rix,
@{bin}/xdg-dbus-proxy rix, @{bin}/xdg-dbus-proxy rix,
@{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
@ -64,7 +65,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
@{PROC}/zoneinfo r, @{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/smaps r,
owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

2
apparmor.d/groups/gnome/gnome-calculator
View file

@ -21,6 +21,8 @@ profile gnome-calculator @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
include if exists <local/gnome-calculator> include if exists <local/gnome-calculator>
} }

3
apparmor.d/groups/gnome/gnome-calendar
View file

@ -9,9 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-calendar @{exec_path} = @{bin}/gnome-calendar
profile gnome-calendar @{exec_path} { profile gnome-calendar @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.login1> include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -40,6 +38,7 @@ profile gnome-calendar @{exec_path} {
peer=(name=:*, label=evolution-source-registry), peer=(name=:*, label=evolution-source-registry),
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
/usr/share/evolution-data-server/{,**} r, /usr/share/evolution-data-server/{,**} r,
/usr/share/libgweather/Locations.xml r, /usr/share/libgweather/Locations.xml r,

3
apparmor.d/groups/gnome/gnome-clocks
View file

@ -10,9 +10,7 @@ include <tunables/global>
profile gnome-clocks @{exec_path} { profile gnome-clocks @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session> include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/bus/org.gtk.vfs.MountTracker> include <abstractions/bus/org.gtk.vfs.MountTracker>
include <abstractions/common/gnome> include <abstractions/common/gnome>
@ -24,6 +22,7 @@ profile gnome-clocks @{exec_path} {
#aa:dbus own bus=session name=org.gnome.clocks #aa:dbus own bus=session name=org.gnome.clocks
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
include if exists <local/gnome-clocks> include if exists <local/gnome-clocks>
} }

3
apparmor.d/groups/gnome/gnome-contacts
View file

@ -9,8 +9,6 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-contacts @{exec_path} = @{bin}/gnome-contacts
profile gnome-contacts @{exec_path} { profile gnome-contacts @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/gstreamer> include <abstractions/gstreamer>
@ -26,6 +24,7 @@ profile gnome-contacts @{exec_path} {
#aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
owner @{user_cache_dirs}/evolution/addressbook/{,**} r, owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
owner @{user_share_dirs}/folks/relationships.ini r, owner @{user_share_dirs}/folks/relationships.ini r,

1
apparmor.d/groups/gnome/gnome-extensions-app
View file

@ -16,6 +16,7 @@ profile gnome-extensions-app @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/gjs-console rix, @{bin}/gjs-console rix,
@{open_path} rPx -> child-open-help,
/usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/gnome-shell/org.gnome.Extensions* r,
/usr/share/terminfo/** r, /usr/share/terminfo/** r,

1
apparmor.d/groups/gnome/gnome-firmware
View file

@ -24,6 +24,7 @@ profile gnome-firmware @{exec_path} {
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
include if exists <local/gnome-firmware> include if exists <local/gnome-firmware>
} }

1
apparmor.d/groups/gnome/gnome-font-viewer
View file

@ -12,6 +12,7 @@ profile gnome-font-viewer @{exec_path} {
include <abstractions/common/gnome> include <abstractions/common/gnome>
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
include if exists <local/gnome-font-viewer> include if exists <local/gnome-font-viewer>
} }

1
apparmor.d/groups/gnome/gnome-logs
View file

@ -13,6 +13,7 @@ profile gnome-logs @{exec_path} {
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
/etc/machine-id r, /etc/machine-id r,

2
apparmor.d/groups/gnome/gnome-maps
View file

@ -22,6 +22,8 @@ profile gnome-maps @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
audit @{bin}/gjs-console rix, audit @{bin}/gjs-console rix,
owner @{user_pictures_dirs}/** rw, owner @{user_pictures_dirs}/** rw,

3
apparmor.d/groups/gnome/gnome-music
View file

@ -28,6 +28,9 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback #aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
@{bin}/ r, @{bin}/ r,
@{bin}/env r, @{bin}/env r,
@{bin}/python3.@{int} rix, @{bin}/python3.@{int} rix,

1
apparmor.d/groups/gnome/gnome-recipes
View file

@ -24,6 +24,7 @@ profile gnome-recipes @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/tar rix, @{bin}/tar rix,
@{open_path} rPx -> child-open-help,
include if exists <local/gnome-recipes> include if exists <local/gnome-recipes>
} }

2
apparmor.d/groups/gnome/gnome-text-editor
View file

@ -19,6 +19,8 @@ profile gnome-text-editor @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

1
apparmor.d/groups/gnome/gnome-tour
View file

@ -13,6 +13,7 @@ profile gnome-tour @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
include if exists <local/gnome-tour> include if exists <local/gnome-tour>
} }

1
apparmor.d/groups/gnome/gnome-weather
View file

@ -23,6 +23,7 @@ profile gnome-weather @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/gjs-console rix, @{bin}/gjs-console rix,
@{open_path} rPx -> child-open-help,
/usr/share/org.gnome.Weather/{,**} r, /usr/share/org.gnome.Weather/{,**} r,

5
apparmor.d/groups/gnome/yelp
View file

@ -10,8 +10,6 @@ include <tunables/global>
profile yelp @{exec_path} { profile yelp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus/org.a11y>
include <abstractions/common/gnome> include <abstractions/common/gnome>
network netlink raw, network netlink raw,
@ -19,6 +17,7 @@ profile yelp @{exec_path} {
#aa:dbus own bus=session name=org.gnome.Yelp #aa:dbus own bus=session name=org.gnome.Yelp
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
@ -32,7 +31,7 @@ profile yelp @{exec_path} {
@{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r,
@{PROC}/zoneinfo r, @{PROC}/zoneinfo r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,

2
apparmor.d/profiles-a-f/baobab
View file

@ -17,6 +17,8 @@ profile baobab @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
# As a directory tree analyzer it needs full access to the filesystem # As a directory tree analyzer it needs full access to the filesystem
/ r, / r,
/** r, /** r,

6
apparmor.d/profiles-a-f/file-roller
View file

@ -9,8 +9,6 @@ include <tunables/global>
@{exec_path} = @{bin}/file-roller @{exec_path} = @{bin}/file-roller
profile file-roller @{exec_path} { profile file-roller @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-accessibility>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.portal.Desktop> include <abstractions/bus/org.freedesktop.portal.Desktop>
include <abstractions/common/gnome> include <abstractions/common/gnome>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -23,6 +21,8 @@ profile file-roller @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
# Archivers # Archivers
@{bin}/7z rix, @{bin}/7z rix,
@{bin}/7zz rix, @{bin}/7zz rix,
@ -38,8 +38,6 @@ profile file-roller @{exec_path} {
@{bin}/zstd rix, @{bin}/zstd rix,
@{lib}/p7zip/7z rix, @{lib}/p7zip/7z rix,
/ r,
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/profiles-a-f/foliate
View file

@ -32,6 +32,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
@{bin}/gjs-console rix, @{bin}/gjs-console rix,
@{bin}/xdg-dbus-proxy rix, @{bin}/xdg-dbus-proxy rix,
@{bin}/speech-dispatcher rPx, @{bin}/speech-dispatcher rPx,
@{open_path} rPx -> child-open-help,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
@ -65,7 +66,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/smaps r, owner @{PROC}/@{pid}/smaps r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,

10
apparmor.d/profiles-a-f/fractal
View file

@ -23,23 +23,17 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/usr/share/xml/iso-codes/{,**} r, @{open_path} rPx -> child-open-help,
/ r, /usr/share/xml/iso-codes/{,**} r,
owner @{tmp}/.@{rand6} rw, owner @{tmp}/.@{rand6} rw,
owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw,
owner @{tmp}/@{rand6} rw, owner @{tmp}/@{rand6} rw,
@{sys}/fs/cgroup/user.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/dev/ r, /dev/ r,

4
apparmor.d/profiles-s-z/snapshot
View file

@ -17,11 +17,11 @@ profile snapshot @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help,
owner @{user_pictures_dirs}/Camera/{,**} rw, owner @{user_pictures_dirs}/Camera/{,**} rw,
owner @{user_videos_dirs}/Camera/{,**} rw, owner @{user_videos_dirs}/Camera/{,**} rw,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/snapshot> include if exists <local/snapshot>
} }

4
apparmor.d/profiles-s-z/totem
View file

@ -10,8 +10,6 @@ include <tunables/global>
profile totem @{exec_path} flags=(attach_disconnected) { profile totem @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio-client> include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus/org.a11y>
include <abstractions/bus/org.freedesktop.ScreenSaver> include <abstractions/bus/org.freedesktop.ScreenSaver>
include <abstractions/bus/org.gnome.SessionManager> include <abstractions/bus/org.gnome.SessionManager>
include <abstractions/common/gnome> include <abstractions/common/gnome>
@ -30,6 +28,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bwrap rCx -> bwrap, @{bin}/bwrap rCx -> bwrap,
@{open_path} rPx -> child-open-help,
/usr/share/xml/iso-codes/{,**} r, /usr/share/xml/iso-codes/{,**} r,
/usr/share/grilo-plugins/{,**} r, /usr/share/grilo-plugins/{,**} r,
@ -56,7 +55,6 @@ profile totem @{exec_path} flags=(attach_disconnected) {
@{run}/mount/utab r, @{run}/mount/utab r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/task/@{tid}/comm w,
deny @{user_share_dirs}/gvfs-metadata/* r, deny @{user_share_dirs}/gvfs-metadata/* r,