From 896254c2ec69f61d564303f3995e769ffb1c029d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 3 Oct 2024 11:47:58 +0100 Subject: [PATCH] feat(profile): rewrite all xdg script profiles. --- .../groups/freedesktop/xdg-desktop-icon | 32 +++++- .../groups/freedesktop/xdg-desktop-menu | 58 +++++----- .../groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/groups/freedesktop/xdg-email | 47 +++++--- .../groups/freedesktop/xdg-icon-resource | 53 ++++++---- apparmor.d/groups/freedesktop/xdg-mime | 100 +++++++----------- apparmor.d/groups/freedesktop/xdg-open | 58 ++++------ apparmor.d/groups/freedesktop/xdg-screensaver | 55 ++++++---- apparmor.d/groups/freedesktop/xdg-settings | 73 ++++++------- 9 files changed, 255 insertions(+), 223 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index 0b0953f6..0d8512b5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -9,8 +9,38 @@ include @{exec_path} = @{bin}/xdg-desktop-icon profile xdg-desktop-icon @{exec_path} { include + include - @{exec_path} mr, + @{exec_path} r, + + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/mkdir ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, + + # To get DE information + @{bin}/kde{,4}-config ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/xprop Px, + + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu index 147d4c09..f86fbedc 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-menu +++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu @@ -10,37 +10,47 @@ include @{exec_path} = @{bin}/xdg-desktop-menu profile xdg-desktop-menu @{exec_path} flags=(complain) { include - include include + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/mkdir rix, - @{bin}/sed rix, - @{bin}/cut rix, - @{bin}/basename rix, - @{bin}/rm rix, - @{bin}/cp rix, - @{bin}/cat rix, - @{bin}/touch rix, - @{bin}/{m,g,}awk rix, - @{bin}/whoami rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/readlink rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, - @{bin}/update-desktop-database rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw, - owner @{user_share_dirs}/applications/chrome-*.desktop rw, - owner @{HOME}/.gnome/apps/chrome-*.desktop rw, + @{bin}/dbus-send Cx -> bus, + @{bin}/update-desktop-database Px, + @{bin}/xprop Px, - /usr/share/applications/*.desktop rw, - /usr/share/*/*.desktop r, - - /usr/share/applications/defaults.list r, - /usr/share/applications/defaults.list.new w, + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 611e1ab9..f93a4f2b 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -59,7 +59,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { /dev/fuse rw, owner /dev/tty@{int} rw, - profile fusermount { + profile fusermount flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email index d7228b65..cf580cea 100644 --- a/apparmor.d/groups/freedesktop/xdg-email +++ b/apparmor.d/groups/freedesktop/xdg-email @@ -15,22 +15,39 @@ profile xdg-email @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cut rix, - @{bin}/echo rix, - @{bin}/gio rPx, - @{bin}/kreadconfig5 rPx, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/tail rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xdg-mime rPx, - @{thunderbird_path} rPx, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/tail ix, + @{bin}/tr ix, + @{bin}/uname ix, - owner /dev/tty@{int} rw, + # To get DE information + @{bin}/kde{,4}-config ix, + @{bin}/gconftool{,-2} ix, + @{bin}/qtxdg-mat ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/kreadconfig{,5} Px, + @{bin}/xdg-mime Px, + @{bin}/xprop Px, + @{open_path} Px -> child-open-email, + @{thunderbird_path} Px, + + profile bus flags=(complain) { + include + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource index bda6621d..4f29d38a 100644 --- a/apparmor.d/groups/freedesktop/xdg-icon-resource +++ b/apparmor.d/groups/freedesktop/xdg-icon-resource @@ -11,36 +11,43 @@ include profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) { include include - include include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/whoami rix, - @{bin}/sed rix, - @{bin}/basename rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/rm rix, - @{bin}/readlink rix, - @{bin}/touch rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cp ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, + @{bin}/whoami ix, - @{bin}/gtk{,4}-update-icon-cache rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - /usr/share/**/icons/**.png r, - /usr/share/icons/**.png rw, - /usr/share/icons/*/.xdg-icon-resource-dummy rw, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/gtk{,4}-update-icon-cache Px, + @{bin}/xprop Px, - owner @{tmp}/.com.google.Chrome.*/chrome-*.png r, - - owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw, - owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw, - /opt/**/*.png r, - - deny @{user_share_dirs}/gvfs-metadata/* r, + profile bus flags=(complain) { + include + include + include + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index c31ff006..e2486f9f 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -3,8 +3,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# TODO: This profile needs to be rewritten and integrated with the xdg-open profiles. - abi , include @@ -16,73 +14,51 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/file rix, - @{bin}/head rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/sed rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/umask ix, + @{bin}/uname ix, - @{bin}/gio rPx, - @{bin}/kbuildsycoca5 rPx, - @{bin}/ktraderclient5 rPUx, - @{bin}/vendor_perl/mimetype rPx, - @{bin}/mimetype rPx, - @{bin}/xprop rPx, + # To query DE information + @{bin}/gio ix, + @{bin}/gnomevfs-info ix, + @{bin}/gvfs-info ix, + @{bin}/kde{,4}-config ix, + @{bin}/kfile ix, + @{bin}/kmimetypefinder{,5} ix, + @{bin}/ktraderclient{,5} ix, + @{bin}/qtpaths ix, + @{bin}/qtxdg-mat ix, - /usr/share/file/misc/** r, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/kbuildsycoca{,5} Px, + @{bin}/mimetype Px, + @{bin}/vendor_perl/mimetype Px, + @{bin}/xprop Px, - owner @{HOME}/** r, - owner @{HOME}/.Xauthority r, - owner @{user_config_dirs}/mimeapps.list{,.new} rw, + owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r, - owner @{run}/user/@{uid}/ r, - - owner /tmp/wl-copy-buffer-@{rand6}/stdin r, - - @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, - @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, - - @{PROC}/version r, - - /dev/dri/card@{int} rw, /dev/tty rw, - # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two - # following root processes: - # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr - # /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session - # - # Should this be allowed? Xdg-mime works fine without this. - #@{bin}/dbus-launch rCx -> dbus, - #@{bin}/dbus-send rCx -> dbus, - deny @{bin}/dbus-launch rx, - deny @{bin}/dbus-send rx, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - profile dbus { + profile bus flags=(complain) { include - include - - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - @{HOME}/.Xauthority r, - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - include if exists + include + include + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open index 096132af..8e90bc42 100644 --- a/apparmor.d/groups/freedesktop/xdg-open +++ b/apparmor.d/groups/freedesktop/xdg-open @@ -10,51 +10,37 @@ include @{exec_path} = @{bin}/xdg-open profile xdg-open @{exec_path} flags=(attach_disconnected) { include - include include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/cut rix, - @{bin}/which{,.debianutils} rix, - @{bin}/cat rix, - @{bin}/uname rix, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/tr ix, + @{bin}/uname ix, - @{bin}/xprop rPx, - @{bin}/xdg-mime rPx, + # To get DE information + @{bin}/kde{,4}-config ix, - @{bin}/exo-open rPx, - @{bin}/gio rPx, - #@{bin}/kde-open5 rPUx, - @{bin}/ktraderclient5 rPUx, + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/xprop Px, + @{bin}/xdg-mime Px, + @{open_path} Px -> child-open-any, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/dbus-send rCx -> dbus, - - /** r, - owner /** rw, - - # freedesktop.org-strict - owner @{user_share_dirs}/applications/ r, - /usr/share/applications/*.desktop r, - - /dev/tty rw, - - profile dbus { + profile bus { include - include + include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - # for dbus-launch - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - @{HOME}/.Xauthority r, + include if exists } include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index 784c6336..c142d137 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -8,38 +8,49 @@ abi , include @{exec_path} = @{bin}/xdg-screensaver -profile xdg-screensaver @{exec_path} { +profile xdg-screensaver @{exec_path} flags=(complain) { include include include @{exec_path} r, - @{bin}/ r, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cut ix, + @{bin}/dirname ix, + @{bin}/kill ix, + @{bin}/ln ix, + @{bin}/lockfile ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/perl ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/uname ix, + @{bin}/xautolock ix, - @{sh_path} rix, - @{bin}/mv rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, - @{bin}/cat rix, - @{bin}/uname rix, + @{bin}/dbus-send Cx -> bus, + @{bin}/xprop Px, + @{bin}/xset Px, + @{bin}/ps Px, + @{bin}/hostname Px, - @{bin}/xautolock rix, - @{bin}/dbus-send rix, + profile bus flags=(complain) { + include + include + include - @{bin}/xprop rPx, - @{bin}/xdg-mime rPx, - @{bin}/xset rPx, - @{bin}/hostname rix, + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - owner @{HOME}/ r, - owner @{HOME}/.Xauthority r, - owner @{tmp}/xauth-@{int}-_[0-9] r, - - owner @{run}/user/@{uid}/ r, - - /dev/dri/card@{int} rw, + include if exists + } include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 38ae2c1b..f64b879f 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,53 +15,48 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/uname rix, - @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, - @{bin}/dbus-launch rCx -> dbus, - @{bin}/dbus-send rCx -> dbus, - @{bin}/kreadconfig5 rPx, - @{bin}/xdg-mime rPx, - @{bin}/xprop rPx, + # To set/get DE information + @{bin}/gconftool{,-2} ix, + @{bin}/kde{,4}-config ix, + @{bin}/kwriteconfig{,5,6} ix, + @{bin}/qtxdg-mat ix, - /usr/share/terminfo/** r, + @{bin}/dbus-send Cx -> bus, + @{bin}/kreadconfig{,5} Px, + @{bin}/xdg-mime Px, + @{bin}/xprop Px, - /etc/xdg/xfce4/helpers.rc r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw, - owner @{HOME}/ r, - owner @{HOME}/.Xauthority r, + @{PROC}/version r, - owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw, + owner /dev/pts/@{int} rw, - owner @{run}/user/@{uid}/ r, - - owner @{PROC}/@{pid}/fd/ r, - - profile dbus { + profile bus flags=(complain) { include - include + include + include - @{bin}/dbus-launch mr, - @{bin}/dbus-send mr, - @{bin}/dbus-daemon rPx, - - owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, - - include if exists + include if exists } include if exists