From 8bdce8bd620ea9cd888cb83b068032464a60293d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Mar 2023 15:24:53 +0000 Subject: [PATCH] feat(profiles): finishing replacing local *_ext variables. --- apparmor.d/groups/apps/calibre | 138 ++++++++---------------- apparmor.d/profiles-a-f/atril | 73 ++++--------- apparmor.d/profiles-a-f/atrild | 6 -- apparmor.d/profiles-m-r/mpv | 162 ++++++++--------------------- apparmor.d/profiles-m-r/qnapi | 111 +++++++------------- apparmor.d/profiles-m-r/qpdfview | 112 ++++++-------------- apparmor.d/profiles-s-z/smplayer | 145 ++++++++------------------ apparmor.d/profiles-s-z/vidcutter | 150 ++++++++------------------ apparmor.d/profiles-s-z/youtube-dl | 66 +++--------- apparmor.d/profiles-s-z/yt-dlp | 44 ++------ apparmor.d/profiles-s-z/ytdl | 54 ++-------- 11 files changed, 291 insertions(+), 770 deletions(-) diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre index b2b00cb0..d2fb41f2 100644 --- a/apparmor.d/groups/apps/calibre +++ b/apparmor.d/groups/apps/calibre @@ -1,21 +1,12 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# PDF extensions -# pdf, epub, txt, html, mhtml, ps, mobi, djvu -@{calibre_ext} = [pP][dF][fF] -@{calibre_ext} += [eE][pP][uU][bB] -@{calibre_ext} += [tT][xX][tT] -@{calibre_ext} += {[mM],}[hH][tT][mM][lL] -@{calibre_ext} += [pP][sS] -@{calibre_ext} += [mM][oO][bB][iI] -@{calibre_ext} += [dD][jJ][vV][uU] - @{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} @{exec_path} += /{usr/,}bin/calibredb @{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert} @@ -50,33 +41,37 @@ profile calibre @{exec_path} { @{exec_path} mrix, /{usr/,}bin/python3.[0-9]* r, - #/{usr/,}bin/ r, - - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/uname rix, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/file rix, + /{usr/,}bin/uname rix, + /{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, /{usr/,}bin/pdftoppm rPUx, # (#FIXME#) /{usr/,}bin/pdfinfo rPUx, /{usr/,}bin/pdftohtml rPUx, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rPx -> child-open, /{usr/,}bin/xdg-mime rPx, - # Which files calibre should be able to open - / r, - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - owner /{home,media}/**.@{calibre_ext} rw, - /usr/share/calibre/{,**} r, + /usr/share/hwdata/pnp.ids r, + /usr/share/qt5/**.pak r, + /usr/share/qt5ct/** r, - owner @{user_books_dirs} rw, - owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**, + /etc/fstab r, + /etc/inputrc r, + /etc/magic r, + /etc/mime.types r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + owner @{HOME}/ r, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_work_dirs}/{,**} rwl, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -89,92 +84,43 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/ rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, + owner @{user_config_dirs}/qt5ct/{,**} r, + owner /tmp/calibre_*_tmp_*/{,**} rw, owner /tmp/calibre-*/{,**} rw, owner /tmp/[0-9]*-*/ rw, owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, owner /tmp/* rw, - @{PROC}/ r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - owner @{PROC}/@{pids}/stat r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - deny owner @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/net/route r, - deny @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/vmstat r, - - /etc/fstab r, - - owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - - # no new privs - /{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix, - /usr/share/qt5/**.pak r, + owner /dev/shm/#[0-9]*[0-9] rw, @{sys}/devices/pci[0-9]*/**/irq r, - /dev/shm/#[0-9]*[0-9] rw, + @{PROC}/ r, + @{PROC}/@{pid}/net/route r, + @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/sys/kernel/yama/ptrace_scope r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/stat r, + owner @{PROC}/@{pids}/task/ r, + owner @{PROC}/@{pids}/task/@{tid}/status r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, + deny owner @{PROC}/@{pid}/oom_{,score_}adj rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /usr/share/hwdata/pnp.ids r, - - /etc/mime.types r, - /etc/inputrc r, - /etc/magic r, - - # file_inherit owner /dev/tty[0-9]* rw, - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPx, - /{usr/,}bin/qpdfview rPx, - /{usr/,}bin/viewnior rPUx, - /{usr/,}bin/spacefm rPx, - /{usr/,}bin/chromium rPx, - /{usr/,}bin/ebook-viewer rPx, - /{usr/,}bin/ebook-edit rPx, - - owner /{home,media}/**.@{calibre_ext} rw, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 67976e57..aa9211f5 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -1,31 +1,22 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Ebooks extensions -# pdf, epub, djvu -@{atril_ext} = [pP][dD][fF] -@{atril_ext} += [eE][pP][uU][bB] -@{atril_ext} += [dD][jJ][vV][uU] - -# PNG preview -@{atril_ext} += [pP][nN][gG] - @{exec_path} = /{usr/,}bin/atril{,-*} profile atril @{exec_path} { include include - include - include include + include include - include - include + include include + include network netlink raw, @@ -38,34 +29,16 @@ profile atril @{exec_path} { /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, - # Which media files atril should be able to open - / r, - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - /tmp/ r, - /tmp/mozilla_*/ r, - owner /{home,media,tmp}/**.@{atril_ext} rw, - /usr/share/atril/{,**} r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/statm r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/zoneinfo r, - - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, + /usr/share/poppler/{,**} r, /etc/fstab r, - /usr/share/poppler/{,**} r, + owner @{HOME}/ r, + owner @{user_documents_dirs}/{,**} rw, + owner @{user_books_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_work_dirs}/{,**} rw, owner @{user_config_dirs}/atril/{,*} rw, @@ -74,21 +47,19 @@ profile atril @{exec_path} { owner /tmp/gtkprint_* rw, owner /tmp/settings*.ini rw, owner /tmp/settings*.ini.* rw, + owner /tmp/atril-@{pid}/{,**} rw, - owner /tmp/atril-@{pid}/ rw, - owner /tmp/atril-@{pid}/*/ rw, - owner /tmp/atril-@{pid}/*/mimetype rw, - owner /tmp/atril-@{pid}/*/META-INF/ rw, - owner /tmp/atril-@{pid}/*/META-INF/container.xml rw, - owner /tmp/atril-@{pid}/*/index_split_[0-9]*.html rw, - owner /tmp/atril-@{pid}/*/page_styles.css rw, - owner /tmp/atril-@{pid}/*/titlepage.xhtml rw, - owner /tmp/atril-@{pid}/*/stylesheet.css rw, - owner /tmp/atril-@{pid}/*/images/ rw, - owner /tmp/atril-@{pid}/*/images/*.jpg rw, - owner /tmp/atril-@{pid}/*/toc.ncx rw, - owner /tmp/atril-@{pid}/*/content.opf rw, - owner /tmp/atril-@{pid}/*/META-INF/calibre_bookmarks.txt rw, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/** r, + + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/statm r, + deny owner @{PROC}/@{pid}/cmdline r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild index 6240c486..c9cf4324 100644 --- a/apparmor.d/profiles-a-f/atrild +++ b/apparmor.d/profiles-a-f/atrild @@ -6,12 +6,6 @@ abi , include -# Ebooks extensions -# pdf, epub, djvu -@{qpdfview_ext} = [pP][dD][fF] -@{qpdfview_ext} += [eE][pP][uU][bB] -@{qpdfview_ext} += [dD][jJ][vV][uU] - @{exec_path} = /{usr/,}lib/atril/atrild profile atrild @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv index 79c82891..d0915c40 100644 --- a/apparmor.d/profiles-m-r/mpv +++ b/apparmor.d/profiles-m-r/mpv @@ -1,80 +1,27 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, flv -@{mpv_ext} = [aA]{52,[aA][cC],[cC]3} -@{mpv_ext} += [mM][kK][aA] -@{mpv_ext} += [fF][lL][aA][cC] -@{mpv_ext} += [mM][pP][123cC] -@{mpv_ext} += [oO][gGmM][aA] -@{mpv_ext} += [wW]{,[aA]}[vV] -@{mpv_ext} += [wW][mM]{,[aA]} -@{mpv_ext} += 3[gG]{[2pP],[pP][2pP]} -@{mpv_ext} += [aA][sS][fF] -@{mpv_ext} += [aA][vV][iI] -@{mpv_ext} += [dD][iI][vV][xX] -@{mpv_ext} += [mM][124][vV] -@{mpv_ext} += [mM][kKoO][vV] -@{mpv_ext} += [mM][pP][4aAeEgG] -@{mpv_ext} += [mM][pP][eE][gG]{,[124]} -@{mpv_ext} += [oO][gG][gGmMxXvV] -@{mpv_ext} += [rR][mM]{,[vV][bB]} -@{mpv_ext} += [wW][eE][bB][mM] -@{mpv_ext} += [wW][mMtT][vV] -@{mpv_ext} += [mM][pP]2[tT] -@{mpv_ext} += [fF][lL][vV] - -# Image extensions -# bmp, jpg, jpeg, png, gif -@{mpv_ext} += [bB][mM][pP] -@{mpv_ext} += [jJ][pP]{,[eE]}[gG] -@{mpv_ext} += [pP][nN][gG] -@{mpv_ext} += [gG][iI][fF] - -# Subtitle extensions: -# srt, txt, sub -@{mpv_ext} += [sS][rR][tT] -@{mpv_ext} += [tT][xX][tT] -@{mpv_ext} += [sS][uU][bB] - -# Playlist extensions: -# m3u, m3u8, pls -@{mpv_ext} += [mM]3[uU]{,8} -@{mpv_ext} += [pP][lL][sS] - -# For Qbittorrent !qB extension -@{mpv_ext} += "!qB" - - @{exec_path} = /{usr/,}bin/mpv profile mpv @{exec_path} { include + include include - include - include include + include include include - include include - include - include - include + include include include - - signal (receive) set=(term, kill), - - signal (send) set=(term, kill) peer=youtube-dl, - signal (send) set=(term, kill) peer=yt-dlp, + include + include network inet dgram, network inet6 dgram, @@ -82,79 +29,62 @@ profile mpv @{exec_path} { network inet6 stream, network netlink raw, + signal (receive) set=(term, kill), + + signal (send) set=(term, kill) peer=youtube-dl, + signal (send) set=(term, kill) peer=yt-dlp, + @{exec_path} mr, - # MPV config files + /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, + + /{usr/,}bin/youtube-dl rPx, + /{usr/,}bin/yt-dlp rPx, + /etc/mpv/* r, - owner @{user_config_dirs}/mpv/ rw, - owner @{user_config_dirs}/mpv/* rw, - - # Which files MPV should be able to open - / r, - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - /tmp/ r, - owner /tmp/mpsyt-input* rw, - owner /tmp/mpsyt-mpv*.sock rw, - owner /tmp/smplayer-mpv-* rw, - owner /tmp/mozilla_*/ r, - owner /{home,media,tmp/mozilla_*}/**.@{mpv_ext} rw, - - # For SMB shares - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{mpv_ext} r, - - # For the SMPlayer's builtin thumbnail generator - owner /tmp/smplayer_preview/[0-9]*.{jpg,png} w, - - # For SMPlayer's screenshots - owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w, - - # Media downloaded by firefox - #deny owner /tmp/mozilla_*/* r, + /etc/samba/smb.conf r, /etc/machine-id r, /var/lib/dbus/machine-id r, + owner @{HOME}/ r, + owner @{user_music_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_config_dirs}/mpv/ rw, + owner @{user_config_dirs}/mpv/* rw, + + /tmp/ r, + owner /tmp/mpsyt-input* rw, + owner /tmp/mpsyt-mpv*.sock rw, + owner /tmp/smplayer-mpv-* rw, + owner /tmp/smplayer_preview/[0-9]*.{jpg,png} w, + owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w, + + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/ r, - ##include - /etc/vdpau_wrapper.cfg r, - - #/etc/samba/smb.conf r, - - # What's this for? (since v0.30.0) - @{sys}/bus/ r, - @{sys}/class/ r, - # - @{sys}/class/input/ r, - @{sys}/devices/**/input/**/uevent r, - @{sys}/devices/**/input/**/capabilities/* r, - /dev/input/event[0-9]* r, @{run}/udev/data/+input:input[0-9]* r, - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* - # - @{sys}/class/sound/ r, - @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/**/sound/**/capabilities/* r, @{run}/udev/data/+sound:* r, + @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c116:[0-9]* r, # for ALSA - # Be able to turn off the screensaver while playing movies - /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/input/ r, + @{sys}/class/sound/ r, + @{sys}/devices/**/input/**/capabilities/* r, + @{sys}/devices/**/input/**/uevent r, + @{sys}/devices/**/sound/**/capabilities/* r, + @{sys}/devices/**/sound/**/uevent r, - # External apps - /{usr/,}bin/youtube-dl rPUx, - /{usr/,}bin/yt-dlp rPUx, - - # file_inherit + /dev/input/event[0-9]* r, owner /dev/tty[0-9]* rw, - owner @{HOME}/.xsession-errors w, - profile xdg-screensaver { include diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi index 7942f025..96d639b0 100644 --- a/apparmor.d/profiles-m-r/qnapi +++ b/apparmor.d/profiles-m-r/qnapi @@ -1,61 +1,26 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t -@{qnapi_vid_ext} = [aA]{52,[aA][cC],[cC]3} -@{qnapi_vid_ext} += [mM][kK][aA] -@{qnapi_vid_ext} += [fF][lL][aA][cC] -@{qnapi_vid_ext} += [mM][pP][123cC] -@{qnapi_vid_ext} += [oO][gGmM][aA] -@{qnapi_vid_ext} += [wW]{,[aA]}[vV] -@{qnapi_vid_ext} += [wW][mM]{,[aA]} -@{qnapi_vid_ext} += 3[gG]{[2pP],[pP][2pP]} -@{qnapi_vid_ext} += [aA][sS][fF] -@{qnapi_vid_ext} += [aA][vV][iI] -@{qnapi_vid_ext} += [dD][iI][vV][xX] -@{qnapi_vid_ext} += [mM][124][vV] -@{qnapi_vid_ext} += [mM][kKoO][vV] -@{qnapi_vid_ext} += [mM][pP][4aAeEgG] -@{qnapi_vid_ext} += [mM][pP][eE][gG]{,[124]} -@{qnapi_vid_ext} += [oO][gG][gGmMxXvV] -@{qnapi_vid_ext} += [rR][mM]{,[vV][bB]} -@{qnapi_vid_ext} += [wW][eE][bB][mM] -@{qnapi_vid_ext} += [wW][mMtT][vV] -@{qnapi_vid_ext} += [mM][pP]2[tT] - -# Subtitle extensions: -# srt, txt, sub -@{qnapi_txt_ext} = [sS][rR][tT] -@{qnapi_txt_ext} += [tT][xX][tT] -@{qnapi_txt_ext} += [sS][uU][bB] - @{exec_path} = /{usr/,}bin/qnapi profile qnapi @{exec_path} { include - include - include - include - include - include include + include + include + include + include include - include - include include + include + include include - include - - # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the - # action (stop qnapi), the apps send the term/kill signal to qnapi. - signal (receive) set=(kill, term), + include network inet dgram, network inet6 dgram, @@ -64,64 +29,60 @@ profile qnapi @{exec_path} { network netlink raw, network netlink dgram, + # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the + # action (stop qnapi), the apps send the term/kill signal to qnapi. + signal (receive) set=(kill, term), + @{exec_path} mr, /{usr/,}bin/7z rix, /{usr/,}lib/p7zip/7z rix, - /{usr/,}bin/ffprobe rPUx, + /{usr/,}bin/ffprobe rPx, /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}lib/firefox/firefox rPx, - # Movie dirs - @{MOUNTS}/ r, - owner @{MOUNTS}/** r, - owner @{MOUNTS}/**#[0-9]*[0-9] rw, - owner @{MOUNTS}/**.@{qnapi_vid_ext} r, - owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9], + /usr/share/qt5ct/** r, + /usr/share/hwdata/pnp.ids r, + + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, owner @{HOME}/ r, + owner @{user_music_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + owner @{user_config_dirs}/qnapi.ini rw, owner @{user_config_dirs}/qnapi.ini.lock rwk, owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - owner @{user_cache_dirs}/ rw, - /usr/share/hwdata/pnp.ids r, + /tmp/ r, + owner /tmp/@{hex}.* rw, + owner /tmp/** rw, + owner /tmp/#[0-9]*[0-9] rw, + owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9], + owner /tmp/QNapi-*-rc.lock rwk, + owner /tmp/QNapi.[0-9]*.tmp rw, + owner /tmp/QNapi.[0-9]*.tmp.* rw, + owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#[0-9]*[0-9], + owner /tmp/QNapi.[0-9]*[0-9] rw, - /dev/shm/#[0-9]*[0-9] rw, + owner /dev/shm/#[0-9]*[0-9] rw, deny owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, deny @{PROC}/sys/kernel/random/boot_id r, - /etc/fstab r, - - /tmp/ r, - owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9], - owner /tmp/QNapi-*-rc.lock rwk, - owner /tmp/QNapi.[0-9]*.tmp rw, - owner /tmp/QNapi.[0-9]*[0-9] rw, - owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw, - owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9], - owner /tmp/@{hex}.@{qnapi_txt_ext} rw, - owner /tmp/*.@{qnapi_txt_ext} rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - - # file_inherit owner /dev/tty[0-9]* rw, - profile open { include include diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview index a7ddef9a..1a90d973 100644 --- a/apparmor.d/profiles-m-r/qpdfview +++ b/apparmor.d/profiles-m-r/qpdfview @@ -1,33 +1,27 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Ebooks extensions -# pdf, epub, djvu -@{qpdfview_ext} = [pP][dD][fF] -@{qpdfview_ext} += [eE][pP][uU][bB] -@{qpdfview_ext} += [dD][jJ][vV][uU] - @{exec_path} = /{usr/,}bin/qpdfview profile qpdfview @{exec_path} { include - include - include - include - include - include - include - include - include - include include - include + include + include + include + include + include + include include + include include + include + include @{exec_path} mr, @@ -36,18 +30,24 @@ profile qpdfview @{exec_path} { /{usr/,}bin/bzip2 rix, /{usr/,}bin/xz rix, - /{usr/,}bin/xdg-open rCx -> open, + /{usr/,}bin/xdg-open rPx -> child-open, + /{usr/,}lib/firefox/firefox rPUx, + + /usr/share/hwdata/pnp.ids r, + /usr/share/poppler/** r, + /usr/share/qt5ct/** r, + /usr/share/djvu/** r, + + /etc/fstab r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, - # Which media files qpdfview should be able to open - / r, - /home/ r, owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - /tmp/ r, - /tmp/mozilla_*/ r, - owner /{home,media,tmp}/**.@{qpdfview_ext} rw, + owner @{user_documents_dirs}/{,**} rw, + owner @{user_books_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_work_dirs}/{,**} rw, owner @{user_config_dirs}/qpdfview/ rw, owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9], @@ -56,69 +56,19 @@ profile qpdfview @{exec_path} { owner @{user_share_dirs}/qpdfview/** rwk, owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /dev/shm/#[0-9]*[0-9] rw, - - deny owner @{PROC}/@{pid}/cmdline r, - deny @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /usr/share/poppler/** r, - - /usr/share/hwdata/pnp.ids r, - - # Print + owner /dev/shm/#[0-9]*[0-9] rw, owner /tmp/@{hex} rw, - - # Save as owner /tmp/#[0-9]*[0-9] rw, owner /tmp/qpdfview.*.pdf rwl -> /tmp/#[0-9]*[0-9], - /usr/share/djvu/** r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, + deny owner @{PROC}/@{pid}/cmdline r, - # Plugins - #/{usr/,}bin/libqpdfview_ps.so mr, - #/{usr/,}bin/libqpdfview_djvu.so mr, - #/{usr/,}lib/qpdfview/libqpdfview_ps.so mr, - #/{usr/,}lib/qpdfview/libqpdfview_djvu.so mr, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - - # file_inherit owner /dev/tty[0-9]* rw, - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer index c156317f..6fe49eac 100644 --- a/apparmor.d/profiles-s-z/smplayer +++ b/apparmor.d/profiles-s-z/smplayer @@ -1,76 +1,30 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t -@{smplayer_ext} = [aA]{52,[aA][cC],[cC]3} -@{smplayer_ext} += [mM][kK][aA] -@{smplayer_ext} += [fF][lL][aA][cC] -@{smplayer_ext} += [mM][pP][123cC] -@{smplayer_ext} += [oO][gGmM][aA] -@{smplayer_ext} += [wW]{,[aA]}[vV] -@{smplayer_ext} += [wW][mM]{,[aA]} -@{smplayer_ext} += 3[gG]{[2pP],[pP][2pP]} -@{smplayer_ext} += [aA][sS][fF] -@{smplayer_ext} += [aA][vV][iI] -@{smplayer_ext} += [dD][iI][vV][xX] -@{smplayer_ext} += [mM][124][vV] -@{smplayer_ext} += [mM][kKoO][vV] -@{smplayer_ext} += [mM][pP][4aAeEgG] -@{smplayer_ext} += [mM][pP][eE][gG]{,[124]} -@{smplayer_ext} += [oO][gG][gGmMxXvV] -@{smplayer_ext} += [rR][mM]{,[vV][bB]} -@{smplayer_ext} += [wW][eE][bB][mM] -@{smplayer_ext} += [wW][mMtT][vV] -@{smplayer_ext} += [mM][pP]2[tT] - -# Image extensions -# bmp, jpg, jpeg, png, gif -@{smplayer_ext} += [bB][mM][pP] -@{smplayer_ext} += [jJ][pP]{,[eE]}[gG] -@{smplayer_ext} += [pP][nN][gG] -@{smplayer_ext} += [gG][iI][fF] - -# Subtitle extensions: -# srt, txt, sub -@{smplayer_ext} += [sS][rR][tT] -@{smplayer_ext} += [tT][xX][tT] -@{smplayer_ext} += [sS][uU][bB] - -# Playlist extensions: -# m3u, m3u8, pls -@{smplayer_ext} += [mM]3[uU]{,8} -@{smplayer_ext} += [pP][lL][sS] - -# For Qbittorrent !qB extension -@{smplayer_ext} += "!qB" - @{exec_path} = /{usr/,}bin/smplayer profile smplayer @{exec_path} { include - include - include - include - include - include - include - include include + include + include + include + include + include + include + include + include + include include include - include - include - include include - include - include + include + include # Needed for hardware decoding ##include @@ -86,33 +40,42 @@ profile smplayer @{exec_path} { @{exec_path} mrix, - # Which media files SMPlayer should be able to open - / r, - /home/ r, + /{usr/,}bin/mpv rPx, + /{usr/,}bin/pacmd rPx, + /{usr/,}bin/smtube rPx, + /{usr/,}bin/youtube-dl rPx, + /{usr/,}bin/yt-dlp rPx, + + /usr/share/qt5ct/** r, + /usr/share/hwdata/pnp.ids r, + + /etc/fstab r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - /tmp/ r, - owner /tmp/mozilla_*/ r, - owner /{home,media,tmp/mozilla_*}/**.@{smplayer_ext} rw, + owner @{user_music_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, - # For SMB shares - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, - owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{smplayer_ext} r, - - # SMPlayer config files owner @{user_config_dirs}/smplayer/ rw, owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9], - # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - owner @{user_cache_dirs}/#[0-9]*[0-9] rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner /tmp/qtsingleapp-smplay-* rw, + owner /tmp/qtsingleapp-smplay-*-lockfile rwk, + owner /tmp/smplayer_preview/ rw, + owner /tmp/smplayer_preview/[0-9]*.{jpg,png} rw, + owner /tmp/smplayer-mpv-* w, + + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r, + owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r, + + owner /dev/shm/#[0-9]*[0-9] rw, deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/cmdline r, @@ -120,34 +83,8 @@ profile smplayer @{exec_path} { @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, - /etc/fstab r, - - deny /dev/ r, - /dev/shm/#[0-9]*[0-9] rw, - - owner /tmp/qtsingleapp-smplay-* rw, - owner /tmp/qtsingleapp-smplay-*-lockfile rwk, - - /usr/share/hwdata/pnp.ids r, - - # For the builtin thumbnail generator - owner /tmp/smplayer_preview/ rw, - owner /tmp/smplayer_preview/[0-9]*.{jpg,png} rw, - - owner /tmp/smplayer-mpv-* w, - - # External apps - /{usr/,}bin/mpv rPUx, - /{usr/,}bin/smtube rPUx, - /{usr/,}bin/youtube-dl rPUx, - /{usr/,}bin/yt-dlp rPUx, - - # PulseAudio (to use "pacmd") - /{usr/,}bin/pacmd rPUx, - - # file_inherit + /dev/ r, owner /dev/tty[0-9]* rw, - owner @{HOME}/.anyRemote/anyremote.stdout w, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index e24ddd28..cac419d7 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -1,57 +1,32 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t -@{vidcutter_ext} = [aA]{52,[aA][cC],[cC]3} -@{vidcutter_ext} += [mM][kK][aA] -@{vidcutter_ext} += [fF][lL][aA][cC] -@{vidcutter_ext} += [mM][pP][123cC] -@{vidcutter_ext} += [oO][gGmM][aA] -@{vidcutter_ext} += [wW]{,[aA]}[vV] -@{vidcutter_ext} += [wW][mM]{,[aA]} -@{vidcutter_ext} += 3[gG]{[2pP],[pP][2pP]} -@{vidcutter_ext} += [aA][sS][fF] -@{vidcutter_ext} += [aA][vV][iI] -@{vidcutter_ext} += [dD][iI][vV][xX] -@{vidcutter_ext} += [mM][124][vV] -@{vidcutter_ext} += [mM][kKoO][vV] -@{vidcutter_ext} += [mM][pP][4aAeEgG] -@{vidcutter_ext} += [mM][pP][eE][gG]{,[124]} -@{vidcutter_ext} += [oO][gG][gGmMxXvV] -@{vidcutter_ext} += [rR][mM]{,[vV][bB]} -@{vidcutter_ext} += [wW][eE][bB][mM] -@{vidcutter_ext} += [wW][mMtT][vV] -@{vidcutter_ext} += [mM][pP]2[tT] - @{exec_path} = /{usr/,}bin/vidcutter profile vidcutter @{exec_path} { include - include - include - include - include - include - include - include - include - include - include - include - include - include include + include + include + include + include + include + include + include include - include include + include + include + include + include include + include + include @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, @@ -63,46 +38,35 @@ profile vidcutter @{exec_path} { /{usr/,}bin/ffprobe rPx, /{usr/,}bin/mediainfo rPx, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + /{usr/,}bin/xdg-open rPx -> child-open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, - # Which files vidcutter should be able to open - / r, - /home/ r, - owner @{HOME}/ r, - owner @{HOME}/**/ r, - @{MOUNTS}/ r, - owner @{MOUNTS}/**/ r, - owner /{home,media}/**.@{vidcutter_ext} rw, + /usr/share/hwdata/pnp.ids r, + /usr/share/qt5ct/** r, + + /etc/fstab r, + /etc/vdpau_wrapper.cfg r, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, owner @{HOME}/ r, + owner @{user_music_dirs}/{,**} rw, + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_torrents_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + owner @{user_config_dirs}/vidcutter/ rw, owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#[0-9]*[0-9], - # If one is blocked, the others are probed. - deny owner @{HOME}/#[0-9]*[0-9] mrw, - owner @{HOME}/.glvnd* mrw, - # owner /tmp/#[0-9]*[0-9] mrw, - # owner /tmp/.glvnd* mrw, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/qtshadercache/ rw, - owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, - owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], - owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, + owner @{user_cache_dirs}/qtshadercache/ rw, + owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9], + owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw, owner @{user_config_dirs}/qt5ct/{,**} r, - /usr/share/qt5ct/** r, - - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - # To remove the following error: - # GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied - # (g-file-error-quark, 2) - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - deny @{PROC}/sys/kernel/random/boot_id r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, @@ -112,49 +76,17 @@ profile vidcutter @{exec_path} { owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9], owner /tmp/vidcutter/{,*} rw, - deny /dev/ r, - /dev/shm/#[0-9]*[0-9] rw, - /dev/disk/*/ r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + deny @{PROC}/sys/kernel/random/boot_id r, - /etc/vdpau_wrapper.cfg r, + /dev/ r, + /dev/shm/#[0-9]*[0-9] rw, + /dev/disk/*/ r, - /etc/fstab r, - - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - - # file_inherit owner /dev/tty[0-9]* rw, - - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - /{usr/,}lib/firefox/firefox rPUx, - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 361df0c7..66ee598f 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -1,59 +1,26 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a -@{ytdl_ext} = [aA]{52,[aA][cC],[cC]3} -@{ytdl_ext} += [mM][kK][aA] -@{ytdl_ext} += [fF][lL][aA][cC] -@{ytdl_ext} += [mM][pP][123cC] -@{ytdl_ext} += [oO][gGmM][aA] -@{ytdl_ext} += [wW]{,[aA]}[vV] -@{ytdl_ext} += [wW][mM]{,[aA]} -@{ytdl_ext} += 3[gG]{[2pP],[pP][2pP]} -@{ytdl_ext} += [aA][sS][fF] -@{ytdl_ext} += [aA][vV][iI] -@{ytdl_ext} += [dD][iI][vV][xX] -@{ytdl_ext} += [mM][124][vV] -@{ytdl_ext} += [mM][kKoO][vV] -@{ytdl_ext} += [mM][pP][4aAeEgG] -@{ytdl_ext} += [mM][pP][eE][gG]{,[124]} -@{ytdl_ext} += [oO][gG][gGmMxXvV] -@{ytdl_ext} += [rR][mM]{,[vV][bB]} -@{ytdl_ext} += [wW][eE][bB][mM] -@{ytdl_ext} += [wW][mMtT][vV] -@{ytdl_ext} += [mM][pP]2[tT] -@{ytdl_ext} += [mM]4[aA] - -# The ytdl specific file extensions -# ytdl, part, tmp, temp -@{ytdl_ext} += [yY][tT][dD][lL] -@{ytdl_ext} += part{,-*} -@{ytdl_ext} += [tT]{,[eE]}[mM][pP] - @{exec_path} = /{usr/,}bin/youtube-dl profile youtube-dl @{exec_path} { include - include - include include - include + include include + include include - include include include + include include include - - signal (receive) set=(term, kill), + include network inet dgram, network inet6 dgram, @@ -61,9 +28,14 @@ profile youtube-dl @{exec_path} { network inet6 stream, network netlink raw, + signal (receive) set=(term, kill), + @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}bin/ffmpeg rPx, + /{usr/,}bin/ffprobe rPx, + /{usr/,}bin/ r, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix, @@ -72,25 +44,19 @@ profile youtube-dl @{exec_path} { /{usr/,}bin/rtmpdump rix, /{usr/,}bin/git rix, - # Which files youtube-dl should be able to open - owner @{HOME}/ r, - owner @{HOME}/**/ r, - owner @{MOUNTS}/**/ r, - owner /{home,media}/**.@{ytdl_ext} rw, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - /etc/mime.types r, + owner @{HOME}/ r, + owner @{user_music_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/youtube-dl/{,**} rw, owner @{user_config_dirs}/git/config r, - # External apps - /{usr/,}bin/ffmpeg rPUx, - /{usr/,}bin/ffprobe rPUx, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index a1e34ac7..a56ab563 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -1,50 +1,19 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a -@{ytdlp_ext} = [aA]{52,[aA][cC],[cC]3} -@{ytdlp_ext} += [mM][kK][aA] -@{ytdlp_ext} += [fF][lL][aA][cC] -@{ytdlp_ext} += [mM][pP][123cC] -@{ytdlp_ext} += [oO][gGmM][aA] -@{ytdlp_ext} += [wW]{,[aA]}[vV] -@{ytdlp_ext} += [wW][mM]{,[aA]} -@{ytdlp_ext} += 3[gG]{[2pP],[pP][2pP]} -@{ytdlp_ext} += [aA][sS][fF] -@{ytdlp_ext} += [aA][vV][iI] -@{ytdlp_ext} += [dD][iI][vV][xX] -@{ytdlp_ext} += [mM][124][vV] -@{ytdlp_ext} += [mM][kKoO][vV] -@{ytdlp_ext} += [mM][pP][4aAeEgG] -@{ytdlp_ext} += [mM][pP][eE][gG]{,[124]} -@{ytdlp_ext} += [oO][gG][gGmMxXvV] -@{ytdlp_ext} += [rR][mM]{,[vV][bB]} -@{ytdlp_ext} += [wW][eE][bB][mM] -@{ytdlp_ext} += [wW][mMtT][vV] -@{ytdlp_ext} += [mM][pP]2[tT] -@{ytdlp_ext} += [mM]4[aA] - -# The ytdl specific file extensions -# ytdl, part, tmp, temp -@{ytdlp_ext} += [yY][tT][dD][lL] -@{ytdlp_ext} += part{,-*} -@{ytdlp_ext} += [tT]{,[eE]}[mM][pP] - @{exec_path} = /{usr/,}bin/yt-dlp profile yt-dlp @{exec_path} { include include - include include include + include include include @@ -63,9 +32,10 @@ profile yt-dlp @{exec_path} { /{usr/,}bin/ffmpeg rPx, /{usr/,}bin/ffprobe rPx, - # Which files yt-dlp should be able to open - owner /media/**/ r, - owner /media/**.@{ytdlp_ext} rwk, + /etc/magic r, + + owner @{user_music_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/yt-dlp/ rw, @@ -73,7 +43,5 @@ profile yt-dlp @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - /etc/magic r, - include if exists } diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 2e1b239b..e586443f 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -1,60 +1,29 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -# Video/audio extensions: -# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp, -# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm, -# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a -@{ytdl_ext} = [aA]{52,[aA][cC],[cC]3} -@{ytdl_ext} += [mM][kK][aA] -@{ytdl_ext} += [fF][lL][aA][cC] -@{ytdl_ext} += [mM][pP][123cC] -@{ytdl_ext} += [oO][gGmM][aA] -@{ytdl_ext} += [wW]{,[aA]}[vV] -@{ytdl_ext} += [wW][mM]{,[aA]} -@{ytdl_ext} += 3[gG]{[2pP],[pP][2pP]} -@{ytdl_ext} += [aA][sS][fF] -@{ytdl_ext} += [aA][vV][iI] -@{ytdl_ext} += [dD][iI][vV][xX] -@{ytdl_ext} += [mM][124][vV] -@{ytdl_ext} += [mM][kKoO][vV] -@{ytdl_ext} += [mM][pP][4aAeEgG] -@{ytdl_ext} += [mM][pP][eE][gG]{,[124]} -@{ytdl_ext} += [oO][gG][gGmMxXvV] -@{ytdl_ext} += [rR][mM]{,[vV][bB]} -@{ytdl_ext} += [wW][eE][bB][mM] -@{ytdl_ext} += [wW][mMtT][vV] -@{ytdl_ext} += [mM][pP]2[tT] -@{ytdl_ext} += [mM]4[aA] - -# The ytdl specific file extensions -# ytdl, part, tmp, temp -@{ytdl_ext} += [yY][tT][dD][lL] -@{ytdl_ext} += part{,-*} -@{ytdl_ext} += [tT]{,[eE]}[mM][pP] - @{exec_path} = /{usr/,}bin/ytdl profile ytdl @{exec_path} { include - include include include + include include include - signal (receive) set=(term, kill), - network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, + signal (receive) set=(term, kill), + @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, @@ -62,19 +31,16 @@ profile ytdl @{exec_path} { /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/uname rix, - # Which files youtube-dl should be able to open + /etc/mime.types r, + owner @{HOME}/ r, - owner @{HOME}/**/ r, - owner @{MOUNTS}/**/ r, - owner /{home,media}/**.@{ytdl_ext} rw, + owner @{user_music_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_cache_dirs}/youtube-dl/youtube-sigfuncs/js*.json r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - /etc/mime.types r, - - # Needed when displaying info on available formats - owner @{user_cache_dirs}/youtube-dl/youtube-sigfuncs/js*.json r, - include if exists }