mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-12-26 15:06:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): rewrite all xdg script profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-03 11:47:58 +01:00
parent 35b305f043
commit 896254c2ec
Failed to generate hash of commit
9 changed files with 255 additions and 223 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
apparmor.d/groups/freedesktop/xdg-desktop-icon
View file

@ -9,8 +9,38 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-desktop-icon
profile xdg-desktop-icon @{exec_path} {
include <abstractions/base>
include <abstractions/freedesktop.org>
@{exec_path} mr,
@{exec_path} r,
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/chmod ix,
@{bin}/cp ix,
@{bin}/cut ix,
@{bin}/mkdir ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/tr ix,
@{bin}/umask ix,
@{bin}/uname ix,
# To get DE information
@{bin}/kde{,4}-config ix,
@{bin}/dbus-send Cx -> bus,
@{bin}/xprop Px,
profile bus flags=(complain) {
include <abstractions/base>
include <abstractions/app/bus>
include <abstractions/bus-session>
include if exists <local/xdg-settings_bus>
}
include if exists <local/xdg-desktop-icon>
}

58
apparmor.d/groups/freedesktop/xdg-desktop-menu
View file

@ -10,37 +10,47 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-desktop-menu
profile xdg-desktop-menu @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
include <abstractions/nameservice-strict>
@{exec_path} r,
@{sh_path} rix,
@{bin}/mkdir rix,
@{bin}/sed rix,
@{bin}/cut rix,
@{bin}/basename rix,
@{bin}/rm rix,
@{bin}/cp rix,
@{bin}/cat rix,
@{bin}/touch rix,
@{bin}/{m,g,}awk rix,
@{bin}/whoami rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/readlink rix,
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/{m,g,}awk ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/chmod ix,
@{bin}/cp ix,
@{bin}/cut ix,
@{bin}/dirname ix,
@{bin}/ln ix,
@{bin}/mkdir ix,
@{bin}/mktemp ix,
@{bin}/mv ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/touch ix,
@{bin}/tr ix,
@{bin}/umask ix,
@{bin}/uname ix,
@{bin}/update-desktop-database rPx,
# To get DE information
@{bin}/kde{,4}-config ix,
owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw,
owner @{user_share_dirs}/applications/chrome-*.desktop rw,
owner @{HOME}/.gnome/apps/chrome-*.desktop rw,
@{bin}/dbus-send Cx -> bus,
@{bin}/update-desktop-database Px,
@{bin}/xprop Px,
/usr/share/applications/*.desktop rw,
/usr/share/*/*.desktop r,
/usr/share/applications/defaults.list r,
/usr/share/applications/defaults.list.new w,
profile bus flags=(complain) {
include <abstractions/base>
include <abstractions/app/bus>
include <abstractions/bus-session>
include if exists <local/xdg-desktop-menu_bus>
}
include if exists <local/xdg-desktop-menu>
}

2
apparmor.d/groups/freedesktop/xdg-document-portal
View file

@ -59,7 +59,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
/dev/fuse rw,
owner /dev/tty@{int} rw,
profile fusermount {
profile fusermount flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

47
apparmor.d/groups/freedesktop/xdg-email
View file

@ -15,22 +15,39 @@ profile xdg-email @{exec_path} flags=(complain) {
@{exec_path} r,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/cut rix,
@{bin}/echo rix,
@{bin}/gio rPx,
@{bin}/kreadconfig5 rPx,
@{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/tail rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xdg-mime rPx,
@{thunderbird_path} rPx,
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/{m,g,}awk ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/cut ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/sed ix,
@{bin}/tail ix,
@{bin}/tr ix,
@{bin}/uname ix,
owner /dev/tty@{int} rw,
# To get DE information
@{bin}/kde{,4}-config ix,
@{bin}/gconftool{,-2} ix,
@{bin}/qtxdg-mat ix,
@{bin}/dbus-send Cx -> bus,
@{bin}/gdbus Cx -> bus,
@{bin}/kreadconfig{,5} Px,
@{bin}/xdg-mime Px,
@{bin}/xprop Px,
@{open_path} Px -> child-open-email,
@{thunderbird_path} Px,
profile bus flags=(complain) {
include <abstractions/base>
include <abstractions/app/bus>
include <abstractions/bus-session>
include if exists <local/xdg-email_bus>
}
include if exists <local/xdg-email>
}

53
apparmor.d/groups/freedesktop/xdg-icon-resource
View file

@ -11,36 +11,43 @@ include <tunables/global>
profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/freedesktop.org>
@{exec_path} r,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/whoami rix,
@{bin}/sed rix,
@{bin}/basename rix,
@{bin}/mkdir rix,
@{bin}/cp rix,
@{bin}/rm rix,
@{bin}/readlink rix,
@{bin}/touch rix,
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/{m,g,}awk ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/cp ix,
@{bin}/cut ix,
@{bin}/dirname ix,
@{bin}/ln ix,
@{bin}/mkdir ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/touch ix,
@{bin}/tr ix,
@{bin}/umask ix,
@{bin}/uname ix,
@{bin}/whoami ix,
@{bin}/gtk{,4}-update-icon-cache rPx,
# To get DE information
@{bin}/kde{,4}-config ix,
/usr/share/**/icons/**.png r,
/usr/share/icons/**.png rw,
/usr/share/icons/*/.xdg-icon-resource-dummy rw,
/usr/share/terminfo/** r,
@{bin}/dbus-send Cx -> bus,
@{bin}/gtk{,4}-update-icon-cache Px,
@{bin}/xprop Px,
owner @{tmp}/.com.google.Chrome.*/chrome-*.png r,
owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw,
owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw,
/opt/**/*.png r,
deny @{user_share_dirs}/gvfs-metadata/* r,
profile bus flags=(complain) {
include <abstractions/base>
include <abstractions/app/bus>
include <abstractions/bus-session>
include if exists <local/xdg-icon-resource_bus>
}
include if exists <local/xdg-icon-resource>
}

100
apparmor.d/groups/freedesktop/xdg-mime
View file

@ -3,8 +3,6 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# TODO: This profile needs to be rewritten and integrated with the xdg-open profiles.
abi <abi/4.0>,
include <tunables/global>
@ -16,73 +14,51 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
@{exec_path} r,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/file rix,
@{bin}/head rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/sed rix,
@{bin}/tr rix,
@{bin}/uname rix,
@{bin}/which{,.debianutils} rix,
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/{m,g,}awk ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/cut ix,
@{bin}/file ix,
@{bin}/head ix,
@{bin}/mkdir ix,
@{bin}/mv ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/touch ix,
@{bin}/tr ix,
@{bin}/umask ix,
@{bin}/uname ix,
@{bin}/gio rPx,
@{bin}/kbuildsycoca5 rPx,
@{bin}/ktraderclient5 rPUx,
@{bin}/vendor_perl/mimetype rPx,
@{bin}/mimetype rPx,
@{bin}/xprop rPx,
# To query DE information
@{bin}/gio ix,
@{bin}/gnomevfs-info ix,
@{bin}/gvfs-info ix,
@{bin}/kde{,4}-config ix,
@{bin}/kfile ix,
@{bin}/kmimetypefinder{,5} ix,
@{bin}/ktraderclient{,5} ix,
@{bin}/qtpaths ix,
@{bin}/qtxdg-mat ix,
/usr/share/file/misc/** r,
/usr/share/terminfo/** r,
@{bin}/dbus-send Cx -> bus,
@{bin}/kbuildsycoca{,5} Px,
@{bin}/mimetype Px,
@{bin}/vendor_perl/mimetype Px,
@{bin}/xprop Px,
owner @{HOME}/** r,
owner @{HOME}/.Xauthority r,
owner @{user_config_dirs}/mimeapps.list{,.new} rw,
owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,
owner @{run}/user/@{uid}/ r,
owner /tmp/wl-copy-buffer-@{rand6}/stdin r,
@{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
@{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
@{PROC}/version r,
/dev/dri/card@{int} rw,
/dev/tty rw,
# When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Xdg-mime works fine without this.
#@{bin}/dbus-launch rCx -> dbus,
#@{bin}/dbus-send rCx -> dbus,
deny @{bin}/dbus-launch rx,
deny @{bin}/dbus-send rx,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
profile dbus {
profile bus flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
@{HOME}/.Xauthority r,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
include if exists <local/xdg-mime_dbus>
include <abstractions/app/bus>
include <abstractions/bus-session>
include if exists <local/xdg-mime_bus>
}
include if exists <local/xdg-mime>

58
apparmor.d/groups/freedesktop/xdg-open
View file

@ -10,51 +10,37 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-open
profile xdg-open @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
@{exec_path} r,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/cut rix,
@{bin}/which{,.debianutils} rix,
@{bin}/cat rix,
@{bin}/uname rix,
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/cut ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/sed ix,
@{bin}/tr ix,
@{bin}/uname ix,
@{bin}/xprop rPx,
@{bin}/xdg-mime rPx,
# To get DE information
@{bin}/kde{,4}-config ix,
@{bin}/exo-open rPx,
@{bin}/gio rPx,
#@{bin}/kde-open5 rPUx,
@{bin}/ktraderclient5 rPUx,
@{bin}/dbus-send Cx -> bus,
@{bin}/gdbus Cx -> bus,
@{bin}/xprop Px,
@{bin}/xdg-mime Px,
@{open_path} Px -> child-open-any,
@{bin}/dbus-launch rCx -> dbus,
@{bin}/dbus-send rCx -> dbus,
/** r,
owner /** rw,
# freedesktop.org-strict
owner @{user_share_dirs}/applications/ r,
/usr/share/applications/*.desktop r,
/dev/tty rw,
profile dbus {
profile bus {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/app/bus>
include <abstractions/bus-session>
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
@{HOME}/.Xauthority r,
include if exists <local/xdg-open_bus>
}
include if exists <local/xdg-open>

55
apparmor.d/groups/freedesktop/xdg-screensaver
View file

@ -8,38 +8,49 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/xdg-screensaver
profile xdg-screensaver @{exec_path} {
profile xdg-screensaver @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/freedesktop.org>
@{exec_path} r,
@{bin}/ r,
@{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/{m,g,}awk ix,
@{bin}/basename ix,
@{bin}/cat ix,
@{bin}/cut ix,
@{bin}/dirname ix,
@{bin}/kill ix,
@{bin}/ln ix,
@{bin}/lockfile ix,
@{bin}/mktemp ix,
@{bin}/mv ix,
@{bin}/perl ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/uname ix,
@{bin}/xautolock ix,
@{sh_path} rix,
@{bin}/mv rix,
@{bin}/{,e}grep rix,
@{bin}/sed rix,
@{bin}/which{,.debianutils} rix,
@{bin}/cat rix,
@{bin}/uname rix,
@{bin}/dbus-send Cx -> bus,
@{bin}/xprop Px,
@{bin}/xset Px,
@{bin}/ps Px,
@{bin}/hostname Px,
@{bin}/xautolock rix,
@{bin}/dbus-send rix,
profile bus flags=(complain) {
include <abstractions/base>
include <abstractions/app/bus>
include <abstractions/bus-session>
@{bin}/xprop rPx,
@{bin}/xdg-mime rPx,
@{bin}/xset rPx,
@{bin}/hostname rix,
#aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy
#aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
owner @{HOME}/ r,
owner @{HOME}/.Xauthority r,
owner @{tmp}/xauth-@{int}-_[0-9] r,
owner @{run}/user/@{uid}/ r,
/dev/dri/card@{int} rw,
include if exists <local/xdg-screensaver_bus>
}
include if exists <local/xdg-screensaver>
}

73
apparmor.d/groups/freedesktop/xdg-settings
View file

@ -15,53 +15,48 @@ profile xdg-settings @{exec_path} {
@{exec_path} r,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/uname rix,
@{bin}/wc rix,
@{bin}/which{,.debianutils} rix,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat ix,
@{bin}/cut rix,
@{bin}/head ix,
@{bin}/mkdir ix,
@{bin}/mktemp ix,
@{bin}/mv ix,
@{bin}/readlink ix,
@{bin}/realpath rix,
@{bin}/rm ix,
@{bin}/sed ix,
@{bin}/sort ix,
@{bin}/touch ix,
@{bin}/tr ix,
@{bin}/uname ix,
@{bin}/wc ix,
@{bin}/dbus-launch rCx -> dbus,
@{bin}/dbus-send rCx -> dbus,
@{bin}/kreadconfig5 rPx,
@{bin}/xdg-mime rPx,
@{bin}/xprop rPx,
# To set/get DE information
@{bin}/gconftool{,-2} ix,
@{bin}/kde{,4}-config ix,
@{bin}/kwriteconfig{,5,6} ix,
@{bin}/qtxdg-mat ix,
/usr/share/terminfo/** r,
@{bin}/dbus-send Cx -> bus,
@{bin}/kreadconfig{,5} Px,
@{bin}/xdg-mime Px,
@{bin}/xprop Px,
/etc/xdg/xfce4/helpers.rc r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw,
owner @{HOME}/ r,
owner @{HOME}/.Xauthority r,
@{PROC}/version r,
owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw,
owner /dev/pts/@{int} rw,
owner @{run}/user/@{uid}/ r,
owner @{PROC}/@{pid}/fd/ r,
profile dbus {
profile bus flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/app/bus>
include <abstractions/bus-session>
@{bin}/dbus-launch mr,
@{bin}/dbus-send mr,
@{bin}/dbus-daemon rPx,
owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
include if exists <local/xdg-settings_dbus>
include if exists <local/xdg-settings_bus>
}
include if exists <local/xdg-settings>