feat(profile): add localsearch (renamed from tracker-extract

localsearch is the new name of tracker-extract. The profile for tracker-extract is kept as they will differ in the future.
2025-02-11 12:45:10 +01:00 · 2025-02-09 20:32:06 +01:00 · 2025-02-09 20:32:06 +01:00 · 86906d2601
commit 86906d2601
parent 63cbf2829b
3 changed files with 111 additions and 0 deletions
--- a/apparmor.d/groups/gnome/localsearch
+++ b/apparmor.d/groups/gnome/localsearch
@ -0,0 +1,69 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3
+profile localsearch @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
+  include <abstractions/bus/org.gtk.vfs.Daemon>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
+  include <abstractions/disks-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gnome-strict>
+  include <abstractions/graphics>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  #aa:dbus own bus=session name=org.freedesktop.LocalSearch3
+
+  @{exec_path} mr,
+
+  @{lib}/localsearch-extractor-3 ix, # nnp
+
+  /usr/share/localsearch3/{,**} r,
+  /usr/share/poppler/{,**} r,
+
+  # Allow to search user files
+  owner @{HOME}/ r,
+  owner @{HOME}/{,**} r,
+  owner @{MOUNTS}/{,**} r,
+  owner @{tmp}/*/{,**} r,
+
+  owner @{user_cache_dirs}/tracker3/ rw,
+  owner @{user_cache_dirs}/tracker3/files/ rw,
+  owner @{user_cache_dirs}/tracker3/files/** rwk,
+
+  owner /var/tmp/etilqs_@{hex15} rw,
+  owner /var/tmp/etilqs_@{hex16} rw,
+  owner @{tmp}/etilqs_@{hex15} rw,
+  owner @{tmp}/etilqs_@{hex16} rw,
+
+  @{run}/mount/utab r,
+
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+
+        @{PROC}/sys/fs/fanotify/max_user_marks r,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  /dev/media@{int} rw,
+  /dev/video@{int} rw,
+
+  include if exists <local/localsearch>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/gnome/localsearch-control
+++ b/apparmor.d/groups/gnome/localsearch-control
@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/localsearch-control-3
+profile localsearch-control @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+
+  #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control
+
+  @{exec_path} mr,
+
+  include if exists <local/localsearch-control>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/gnome/localsearch-writeback
+++ b/apparmor.d/groups/gnome/localsearch-writeback
@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/localsearch-writeback-3
+profile localsearch-writeback @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+
+  #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback
+
+  @{exec_path} mr,
+
+  include if exists <local/localsearch-writeback>
+}
+
+# vim:syntax=apparmor