mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-06 10:15:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): finishing replacing local *_ext variables.

Browse source
This commit is contained in:
Alexandre Pujol 2023-03-12 15:24:53 +00:00
parent d23348c689
commit 8bdce8bd62
Failed to generate hash of commit
11 changed files with 291 additions and 770 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

138
apparmor.d/groups/apps/calibre
View file

@ -1,21 +1,12 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov # Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# PDF extensions
# pdf, epub, txt, html, mhtml, ps, mobi, djvu
@{calibre_ext} = [pP][dF][fF]
@{calibre_ext} += [eE][pP][uU][bB]
@{calibre_ext} += [tT][xX][tT]
@{calibre_ext} += {[mM],}[hH][tT][mM][lL]
@{calibre_ext} += [pP][sS]
@{calibre_ext} += [mM][oO][bB][iI]
@{calibre_ext} += [dD][jJ][vV][uU]
@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize} @{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += /{usr/,}bin/calibredb @{exec_path} += /{usr/,}bin/calibredb
@{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert} @{exec_path} += /{usr/,}bin/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
@ -50,33 +41,37 @@ profile calibre @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
#/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/ldconfig rix, /{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/uname rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/file rix, /{usr/,}bin/file rix,
/{usr/,}bin/uname rix,
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/{usr/,}bin/pdftoppm rPUx, # (#FIXME#) /{usr/,}bin/pdftoppm rPUx, # (#FIXME#)
/{usr/,}bin/pdfinfo rPUx, /{usr/,}bin/pdfinfo rPUx,
/{usr/,}bin/pdftohtml rPUx, /{usr/,}bin/pdftohtml rPUx,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}bin/xdg-mime rPx, /{usr/,}bin/xdg-mime rPx,
# Which files calibre should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{calibre_ext} rw,
/usr/share/calibre/{,**} r, /usr/share/calibre/{,**} r,
/usr/share/hwdata/pnp.ids r,
/usr/share/qt5/**.pak r,
/usr/share/qt5ct/** r,
owner @{user_books_dirs} rw, /etc/fstab r,
owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**, /etc/inputrc r,
/etc/magic r,
/etc/mime.types r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/ r,
owner @{user_documents_dirs}/{,**} rwl,
owner @{user_books_dirs}/{,**} rwl,
owner @{user_torrents_dirs}/{,**} rwl,
owner @{user_work_dirs}/{,**} rwl,
owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/ rw,
owner @{user_config_dirs}/calibre/** rwk, owner @{user_config_dirs}/calibre/** rwk,
@ -89,92 +84,43 @@ profile calibre @{exec_path} {
owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/ rw,
owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw, owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
owner @{user_config_dirs}/qt5ct/{,**} r,
owner /tmp/calibre_*_tmp_*/{,**} rw, owner /tmp/calibre_*_tmp_*/{,**} rw,
owner /tmp/calibre-*/{,**} rw, owner /tmp/calibre-*/{,**} rw,
owner /tmp/[0-9]*-*/ rw, owner /tmp/[0-9]*-*/ rw,
owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**, owner /tmp/[0-9]*-*/** rwl -> /tmp/[0-9]*-*/**,
owner /tmp/* rw, owner /tmp/* rw,
@{PROC}/ r, owner /dev/shm/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/route r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/vmstat r,
/etc/fstab r,
owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
# no new privs
/{usr/,}lib/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
/usr/share/qt5/**.pak r,
@{sys}/devices/pci[0-9]*/**/irq r, @{sys}/devices/pci[0-9]*/**/irq r,
/dev/shm/#[0-9]*[0-9] rw, @{PROC}/ r,
@{PROC}/@{pid}/net/route r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/usr/share/hwdata/pnp.ids r,
/etc/mime.types r,
/etc/inputrc r,
/etc/magic r,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPx,
/{usr/,}bin/qpdfview rPx,
/{usr/,}bin/viewnior rPUx,
/{usr/,}bin/spacefm rPx,
/{usr/,}bin/chromium rPx,
/{usr/,}bin/ebook-viewer rPx,
/{usr/,}bin/ebook-edit rPx,
owner /{home,media}/**.@{calibre_ext} rw,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/calibre> include if exists <local/calibre>
} }

73
apparmor.d/profiles-a-f/atril
View file

@ -1,31 +1,22 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Ebooks extensions
# pdf, epub, djvu
@{atril_ext} = [pP][dD][fF]
@{atril_ext} += [eE][pP][uU][bB]
@{atril_ext} += [dD][jJ][vV][uU]
# PNG preview
@{atril_ext} += [pP][nN][gG]
@{exec_path} = /{usr/,}bin/atril{,-*} @{exec_path} = /{usr/,}bin/atril{,-*}
profile atril @{exec_path} { profile atril @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/user-download-strict> include <abstractions/gtk>
include <abstractions/private-files-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
network netlink raw, network netlink raw,
@ -38,34 +29,16 @@ profile atril @{exec_path} {
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix, /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
/{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix, /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess rix,
# Which media files atril should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
/tmp/ r,
/tmp/mozilla_*/ r,
owner /{home,media,tmp}/**.@{atril_ext} rw,
/usr/share/atril/{,**} r, /usr/share/atril/{,**} r,
/usr/share/poppler/{,**} r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/statm r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/zoneinfo r,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/fs/cgroup/** r,
/etc/fstab r, /etc/fstab r,
/usr/share/poppler/{,**} r, owner @{HOME}/ r,
owner @{user_documents_dirs}/{,**} rw,
owner @{user_books_dirs}/{,**} rw,
owner @{user_torrents_dirs}/{,**} rw,
owner @{user_work_dirs}/{,**} rw,
owner @{user_config_dirs}/atril/{,*} rw, owner @{user_config_dirs}/atril/{,*} rw,
@ -74,21 +47,19 @@ profile atril @{exec_path} {
owner /tmp/gtkprint_* rw, owner /tmp/gtkprint_* rw,
owner /tmp/settings*.ini rw, owner /tmp/settings*.ini rw,
owner /tmp/settings*.ini.* rw, owner /tmp/settings*.ini.* rw,
owner /tmp/atril-@{pid}/{,**} rw,
owner /tmp/atril-@{pid}/ rw, @{sys}/firmware/acpi/pm_profile r,
owner /tmp/atril-@{pid}/*/ rw, @{sys}/devices/virtual/dmi/id/chassis_type r,
owner /tmp/atril-@{pid}/*/mimetype rw, @{sys}/fs/cgroup/** r,
owner /tmp/atril-@{pid}/*/META-INF/ rw,
owner /tmp/atril-@{pid}/*/META-INF/container.xml rw, @{PROC}/zoneinfo r,
owner /tmp/atril-@{pid}/*/index_split_[0-9]*.html rw, owner @{PROC}/@{pid}/cgroup r,
owner /tmp/atril-@{pid}/*/page_styles.css rw, owner @{PROC}/@{pid}/fd/ r,
owner /tmp/atril-@{pid}/*/titlepage.xhtml rw, owner @{PROC}/@{pid}/mountinfo r,
owner /tmp/atril-@{pid}/*/stylesheet.css rw, owner @{PROC}/@{pid}/mounts r,
owner /tmp/atril-@{pid}/*/images/ rw, owner @{PROC}/@{pid}/statm r,
owner /tmp/atril-@{pid}/*/images/*.jpg rw, deny owner @{PROC}/@{pid}/cmdline r,
owner /tmp/atril-@{pid}/*/toc.ncx rw,
owner /tmp/atril-@{pid}/*/content.opf rw,
owner /tmp/atril-@{pid}/*/META-INF/calibre_bookmarks.txt rw,
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

6
apparmor.d/profiles-a-f/atrild
View file

@ -6,12 +6,6 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Ebooks extensions
# pdf, epub, djvu
@{qpdfview_ext} = [pP][dD][fF]
@{qpdfview_ext} += [eE][pP][uU][bB]
@{qpdfview_ext} += [dD][jJ][vV][uU]
@{exec_path} = /{usr/,}lib/atril/atrild @{exec_path} = /{usr/,}lib/atril/atrild
profile atrild @{exec_path} { profile atrild @{exec_path} {
include <abstractions/base> include <abstractions/base>

162
apparmor.d/profiles-m-r/mpv
View file

@ -1,80 +1,27 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, flv
@{mpv_ext} = [aA]{52,[aA][cC],[cC]3}
@{mpv_ext} += [mM][kK][aA]
@{mpv_ext} += [fF][lL][aA][cC]
@{mpv_ext} += [mM][pP][123cC]
@{mpv_ext} += [oO][gGmM][aA]
@{mpv_ext} += [wW]{,[aA]}[vV]
@{mpv_ext} += [wW][mM]{,[aA]}
@{mpv_ext} += 3[gG]{[2pP],[pP][2pP]}
@{mpv_ext} += [aA][sS][fF]
@{mpv_ext} += [aA][vV][iI]
@{mpv_ext} += [dD][iI][vV][xX]
@{mpv_ext} += [mM][124][vV]
@{mpv_ext} += [mM][kKoO][vV]
@{mpv_ext} += [mM][pP][4aAeEgG]
@{mpv_ext} += [mM][pP][eE][gG]{,[124]}
@{mpv_ext} += [oO][gG][gGmMxXvV]
@{mpv_ext} += [rR][mM]{,[vV][bB]}
@{mpv_ext} += [wW][eE][bB][mM]
@{mpv_ext} += [wW][mMtT][vV]
@{mpv_ext} += [mM][pP]2[tT]
@{mpv_ext} += [fF][lL][vV]
# Image extensions
# bmp, jpg, jpeg, png, gif
@{mpv_ext} += [bB][mM][pP]
@{mpv_ext} += [jJ][pP]{,[eE]}[gG]
@{mpv_ext} += [pP][nN][gG]
@{mpv_ext} += [gG][iI][fF]
# Subtitle extensions:
# srt, txt, sub
@{mpv_ext} += [sS][rR][tT]
@{mpv_ext} += [tT][xX][tT]
@{mpv_ext} += [sS][uU][bB]
# Playlist extensions:
# m3u, m3u8, pls
@{mpv_ext} += [mM]3[uU]{,8}
@{mpv_ext} += [pP][lL][sS]
# For Qbittorrent !qB extension
@{mpv_ext} += "!qB"
@{exec_path} = /{usr/,}bin/mpv @{exec_path} = /{usr/,}bin/mpv
profile mpv @{exec_path} { profile mpv @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/audio>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/opencl-intel>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/audio>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/vulkan> include <abstractions/opencl>
include <abstractions/user-download-strict>
include <abstractions/private-files-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
signal (receive) set=(term, kill), include <abstractions/vulkan>
signal (send) set=(term, kill) peer=youtube-dl,
signal (send) set=(term, kill) peer=yt-dlp,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -82,79 +29,62 @@ profile mpv @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (receive) set=(term, kill),
signal (send) set=(term, kill) peer=youtube-dl,
signal (send) set=(term, kill) peer=yt-dlp,
@{exec_path} mr, @{exec_path} mr,
# MPV config files /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver,
/{usr/,}bin/youtube-dl rPx,
/{usr/,}bin/yt-dlp rPx,
/etc/mpv/* r, /etc/mpv/* r,
owner @{user_config_dirs}/mpv/ rw, /etc/samba/smb.conf r,
owner @{user_config_dirs}/mpv/* rw,
# Which files MPV should be able to open
/ r,
/home/ r,
owner @{HOME}/ r,
owner @{HOME}/**/ r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r,
/tmp/ r,
owner /tmp/mpsyt-input* rw,
owner /tmp/mpsyt-mpv*.sock rw,
owner /tmp/smplayer-mpv-* rw,
owner /tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{mpv_ext} rw,
# For SMB shares
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{mpv_ext} r,
# For the SMPlayer's builtin thumbnail generator
owner /tmp/smplayer_preview/[0-9]*.{jpg,png} w,
# For SMPlayer's screenshots
owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w,
# Media downloaded by firefox
#deny owner /tmp/mozilla_*/* r,
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
owner @{HOME}/ r,
owner @{user_music_dirs}/{,**} rw,
owner @{user_pictures_dirs}/{,**} rw,
owner @{user_torrents_dirs}/{,**} rw,
owner @{user_videos_dirs}/{,**} rw,
owner @{user_config_dirs}/mpv/ rw,
owner @{user_config_dirs}/mpv/* rw,
/tmp/ r,
owner /tmp/mpsyt-input* rw,
owner /tmp/mpsyt-mpv*.sock rw,
owner /tmp/smplayer-mpv-* rw,
owner /tmp/smplayer_preview/[0-9]*.{jpg,png} w,
owner /tmp/smplayer_screenshots/cap_*.{jpg,png} w,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/ r,
##include <abstractions/nvidia>
/etc/vdpau_wrapper.cfg r,
#/etc/samba/smb.conf r,
# What's this for? (since v0.30.0)
@{sys}/bus/ r,
@{sys}/class/ r,
#
@{sys}/class/input/ r,
@{sys}/devices/**/input/**/uevent r,
@{sys}/devices/**/input/**/capabilities/* r,
/dev/input/event[0-9]* r,
@{run}/udev/data/+input:input[0-9]* r, @{run}/udev/data/+input:input[0-9]* r,
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
#
@{sys}/class/sound/ r,
@{sys}/devices/**/sound/**/uevent r,
@{sys}/devices/**/sound/**/capabilities/* r,
@{run}/udev/data/+sound:* r, @{run}/udev/data/+sound:* r,
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
@{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c116:[0-9]* r, # for ALSA
# Be able to turn off the screensaver while playing movies @{sys}/bus/ r,
/{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, @{sys}/class/ r,
@{sys}/class/input/ r,
@{sys}/class/sound/ r,
@{sys}/devices/**/input/**/capabilities/* r,
@{sys}/devices/**/input/**/uevent r,
@{sys}/devices/**/sound/**/capabilities/* r,
@{sys}/devices/**/sound/**/uevent r,
# External apps /dev/input/event[0-9]* r,
/{usr/,}bin/youtube-dl rPUx,
/{usr/,}bin/yt-dlp rPUx,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
owner @{HOME}/.xsession-errors w,
profile xdg-screensaver { profile xdg-screensaver {
include <abstractions/base> include <abstractions/base>

111
apparmor.d/profiles-m-r/qnapi
View file

@ -1,61 +1,26 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{qnapi_vid_ext} = [aA]{52,[aA][cC],[cC]3}
@{qnapi_vid_ext} += [mM][kK][aA]
@{qnapi_vid_ext} += [fF][lL][aA][cC]
@{qnapi_vid_ext} += [mM][pP][123cC]
@{qnapi_vid_ext} += [oO][gGmM][aA]
@{qnapi_vid_ext} += [wW]{,[aA]}[vV]
@{qnapi_vid_ext} += [wW][mM]{,[aA]}
@{qnapi_vid_ext} += 3[gG]{[2pP],[pP][2pP]}
@{qnapi_vid_ext} += [aA][sS][fF]
@{qnapi_vid_ext} += [aA][vV][iI]
@{qnapi_vid_ext} += [dD][iI][vV][xX]
@{qnapi_vid_ext} += [mM][124][vV]
@{qnapi_vid_ext} += [mM][kKoO][vV]
@{qnapi_vid_ext} += [mM][pP][4aAeEgG]
@{qnapi_vid_ext} += [mM][pP][eE][gG]{,[124]}
@{qnapi_vid_ext} += [oO][gG][gGmMxXvV]
@{qnapi_vid_ext} += [rR][mM]{,[vV][bB]}
@{qnapi_vid_ext} += [wW][eE][bB][mM]
@{qnapi_vid_ext} += [wW][mMtT][vV]
@{qnapi_vid_ext} += [mM][pP]2[tT]
# Subtitle extensions:
# srt, txt, sub
@{qnapi_txt_ext} = [sS][rR][tT]
@{qnapi_txt_ext} += [tT][xX][tT]
@{qnapi_txt_ext} += [sS][uU][bB]
@{exec_path} = /{usr/,}bin/qnapi @{exec_path} = /{usr/,}bin/qnapi
profile qnapi @{exec_path} { profile qnapi @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/gtk>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa> include <abstractions/mesa>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/private-files-strict> include <abstractions/X>
# Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
# action (stop qnapi), the apps send the term/kill signal to qnapi.
signal (receive) set=(kill, term),
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -64,64 +29,60 @@ profile qnapi @{exec_path} {
network netlink raw, network netlink raw,
network netlink dgram, network netlink dgram,
# Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
# action (stop qnapi), the apps send the term/kill signal to qnapi.
signal (receive) set=(kill, term),
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/7z rix, /{usr/,}bin/7z rix,
/{usr/,}lib/p7zip/7z rix, /{usr/,}lib/p7zip/7z rix,
/{usr/,}bin/ffprobe rPUx, /{usr/,}bin/ffprobe rPx,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rCx -> open,
/{usr/,}lib/firefox/firefox rPx,
# Movie dirs /usr/share/qt5ct/** r,
@{MOUNTS}/ r, /usr/share/hwdata/pnp.ids r,
owner @{MOUNTS}/** r,
owner @{MOUNTS}/**#[0-9]*[0-9] rw, /etc/fstab r,
owner @{MOUNTS}/**.@{qnapi_vid_ext} r, /etc/machine-id r,
owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9], /var/lib/dbus/machine-id r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{user_music_dirs}/{,**} rw,
owner @{user_pictures_dirs}/{,**} rw,
owner @{user_torrents_dirs}/{,**} rw,
owner @{user_videos_dirs}/{,**} rw,
owner @{user_config_dirs}/qnapi.ini rw, owner @{user_config_dirs}/qnapi.ini rw,
owner @{user_config_dirs}/qnapi.ini.lock rwk, owner @{user_config_dirs}/qnapi.ini.lock rwk,
owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/qnapi.ini.* rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#[0-9]*[0-9], owner @{user_config_dirs}/qnapi.ini.mlXXXY rwl -> @{user_config_dirs}/#[0-9]*[0-9],
owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
/usr/share/hwdata/pnp.ids r, /tmp/ r,
owner /tmp/@{hex}.* rw,
owner /tmp/** rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9],
owner /tmp/QNapi-*-rc.lock rwk,
owner /tmp/QNapi.[0-9]*.tmp rw,
owner /tmp/QNapi.[0-9]*.tmp.* rw,
owner /tmp/QNapi.[0-9]*.tmp.* rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/QNapi.[0-9]*[0-9] rw,
/dev/shm/#[0-9]*[0-9] rw, owner /dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r, deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r, deny @{PROC}/sys/kernel/random/boot_id r,
/etc/fstab r,
/tmp/ r,
owner /tmp/QNapi-*-rc wl -> /tmp/#[0-9]*[0-9],
owner /tmp/QNapi-*-rc.lock rwk,
owner /tmp/QNapi.[0-9]*.tmp rw,
owner /tmp/QNapi.[0-9]*[0-9] rw,
owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rw,
owner /tmp/QNapi.[0-9]*.tmp.@{qnapi_txt_ext} rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/@{hex}.@{qnapi_txt_ext} rw,
owner /tmp/*.@{qnapi_txt_ext} rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
profile open { profile open {
include <abstractions/base> include <abstractions/base>
include <abstractions/xdg-open> include <abstractions/xdg-open>

112
apparmor.d/profiles-m-r/qpdfview
View file

@ -1,33 +1,27 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Ebooks extensions
# pdf, epub, djvu
@{qpdfview_ext} = [pP][dD][fF]
@{qpdfview_ext} += [eE][pP][uU][bB]
@{qpdfview_ext} += [dD][jJ][vV][uU]
@{exec_path} = /{usr/,}bin/qpdfview @{exec_path} = /{usr/,}bin/qpdfview
profile qpdfview @{exec_path} { profile qpdfview @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/user-download-strict>
include <abstractions/private-files-strict>
include <abstractions/nameservice-strict>
include <abstractions/dri-enumerate> include <abstractions/dri-enumerate>
include <abstractions/qt5-settings-write> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/qt5-compose-cache-write> include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/thumbnails-cache-read> include <abstractions/thumbnails-cache-read>
include <abstractions/user-download-strict>
include <abstractions/X>
@{exec_path} mr, @{exec_path} mr,
@ -36,18 +30,24 @@ profile qpdfview @{exec_path} {
/{usr/,}bin/bzip2 rix, /{usr/,}bin/bzip2 rix,
/{usr/,}bin/xz rix, /{usr/,}bin/xz rix,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}lib/firefox/firefox rPUx,
/usr/share/hwdata/pnp.ids r,
/usr/share/poppler/** r,
/usr/share/qt5ct/** r,
/usr/share/djvu/** r,
/etc/fstab r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
# Which media files qpdfview should be able to open
/ r,
/home/ r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/**/ r, owner @{user_documents_dirs}/{,**} rw,
@{MOUNTS}/ r, owner @{user_books_dirs}/{,**} rw,
owner @{MOUNTS}/**/ r, owner @{user_torrents_dirs}/{,**} rw,
/tmp/ r, owner @{user_work_dirs}/{,**} rw,
/tmp/mozilla_*/ r,
owner /{home,media,tmp}/**.@{qpdfview_ext} rw,
owner @{user_config_dirs}/qpdfview/ rw, owner @{user_config_dirs}/qpdfview/ rw,
owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9], owner @{user_config_dirs}/qpdfview/* rwkl -> @{user_config_dirs}/qpdfview/#[0-9]*[0-9],
@ -56,69 +56,19 @@ profile qpdfview @{exec_path} {
owner @{user_share_dirs}/qpdfview/** rwk, owner @{user_share_dirs}/qpdfview/** rwk,
owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
/var/lib/dbus/machine-id r, owner /dev/shm/#[0-9]*[0-9] rw,
/etc/machine-id r,
/dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/cmdline r,
deny @{PROC}/sys/kernel/random/boot_id r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
/etc/fstab r,
/usr/share/poppler/** r,
/usr/share/hwdata/pnp.ids r,
# Print
owner /tmp/@{hex} rw, owner /tmp/@{hex} rw,
# Save as
owner /tmp/#[0-9]*[0-9] rw, owner /tmp/#[0-9]*[0-9] rw,
owner /tmp/qpdfview.*.pdf rwl -> /tmp/#[0-9]*[0-9], owner /tmp/qpdfview.*.pdf rwl -> /tmp/#[0-9]*[0-9],
/usr/share/djvu/** r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
# Plugins
#/{usr/,}bin/libqpdfview_ps.so mr,
#/{usr/,}bin/libqpdfview_djvu.so mr,
#/{usr/,}lib/qpdfview/libqpdfview_ps.so mr,
#/{usr/,}lib/qpdfview/libqpdfview_djvu.so mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/qpdfview> include if exists <local/qpdfview>
} }

145
apparmor.d/profiles-s-z/smplayer
View file

@ -1,76 +1,30 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{smplayer_ext} = [aA]{52,[aA][cC],[cC]3}
@{smplayer_ext} += [mM][kK][aA]
@{smplayer_ext} += [fF][lL][aA][cC]
@{smplayer_ext} += [mM][pP][123cC]
@{smplayer_ext} += [oO][gGmM][aA]
@{smplayer_ext} += [wW]{,[aA]}[vV]
@{smplayer_ext} += [wW][mM]{,[aA]}
@{smplayer_ext} += 3[gG]{[2pP],[pP][2pP]}
@{smplayer_ext} += [aA][sS][fF]
@{smplayer_ext} += [aA][vV][iI]
@{smplayer_ext} += [dD][iI][vV][xX]
@{smplayer_ext} += [mM][124][vV]
@{smplayer_ext} += [mM][kKoO][vV]
@{smplayer_ext} += [mM][pP][4aAeEgG]
@{smplayer_ext} += [mM][pP][eE][gG]{,[124]}
@{smplayer_ext} += [oO][gG][gGmMxXvV]
@{smplayer_ext} += [rR][mM]{,[vV][bB]}
@{smplayer_ext} += [wW][eE][bB][mM]
@{smplayer_ext} += [wW][mMtT][vV]
@{smplayer_ext} += [mM][pP]2[tT]
# Image extensions
# bmp, jpg, jpeg, png, gif
@{smplayer_ext} += [bB][mM][pP]
@{smplayer_ext} += [jJ][pP]{,[eE]}[gG]
@{smplayer_ext} += [pP][nN][gG]
@{smplayer_ext} += [gG][iI][fF]
# Subtitle extensions:
# srt, txt, sub
@{smplayer_ext} += [sS][rR][tT]
@{smplayer_ext} += [tT][xX][tT]
@{smplayer_ext} += [sS][uU][bB]
# Playlist extensions:
# m3u, m3u8, pls
@{smplayer_ext} += [mM]3[uU]{,8}
@{smplayer_ext} += [pP][lL][sS]
# For Qbittorrent !qB extension
@{smplayer_ext} += "!qB"
@{exec_path} = /{usr/,}bin/smplayer @{exec_path} = /{usr/,}bin/smplayer
profile smplayer @{exec_path} { profile smplayer @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/mesa>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/consoles>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/qt5-compose-cache-write> include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write> include <abstractions/qt5-settings-write>
include <abstractions/wayland>
include <abstractions/dri-enumerate>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/private-files-strict> include <abstractions/wayland>
include <abstractions/openssl> include <abstractions/X>
# Needed for hardware decoding # Needed for hardware decoding
##include <abstractions/nvidia> ##include <abstractions/nvidia>
@ -86,33 +40,42 @@ profile smplayer @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
# Which media files SMPlayer should be able to open /{usr/,}bin/mpv rPx,
/ r, /{usr/,}bin/pacmd rPx,
/home/ r, /{usr/,}bin/smtube rPx,
/{usr/,}bin/youtube-dl rPx,
/{usr/,}bin/yt-dlp rPx,
/usr/share/qt5ct/** r,
/usr/share/hwdata/pnp.ids r,
/etc/fstab r,
/etc/machine-id r,
/var/lib/dbus/machine-id r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/**/ r, owner @{user_music_dirs}/{,**} rw,
@{MOUNTS}/ r, owner @{user_pictures_dirs}/{,**} rw,
owner @{MOUNTS}/**/ r, owner @{user_torrents_dirs}/{,**} rw,
/tmp/ r, owner @{user_videos_dirs}/{,**} rw,
owner /tmp/mozilla_*/ r,
owner /{home,media,tmp/mozilla_*}/**.@{smplayer_ext} rw,
# For SMB shares
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{smplayer_ext} r,
# SMPlayer config files
owner @{user_config_dirs}/smplayer/ rw, owner @{user_config_dirs}/smplayer/ rw,
owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9], owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#[0-9]*[0-9],
# To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
owner @{user_cache_dirs}/#[0-9]*[0-9] rw, owner @{user_cache_dirs}/#[0-9]*[0-9] rw,
/var/lib/dbus/machine-id r, owner /tmp/qtsingleapp-smplay-* rw,
/etc/machine-id r, owner /tmp/qtsingleapp-smplay-*-lockfile rwk,
owner /tmp/smplayer_preview/ rw,
owner /tmp/smplayer_preview/[0-9]*.{jpg,png} rw,
owner /tmp/smplayer-mpv-* w,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
owner /dev/shm/#[0-9]*[0-9] rw,
deny owner @{PROC}/@{pid}/stat r, deny owner @{PROC}/@{pid}/stat r,
deny owner @{PROC}/@{pid}/cmdline r, deny owner @{PROC}/@{pid}/cmdline r,
@ -120,34 +83,8 @@ profile smplayer @{exec_path} {
@{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
/etc/fstab r, /dev/ r,
deny /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
owner /tmp/qtsingleapp-smplay-* rw,
owner /tmp/qtsingleapp-smplay-*-lockfile rwk,
/usr/share/hwdata/pnp.ids r,
# For the builtin thumbnail generator
owner /tmp/smplayer_preview/ rw,
owner /tmp/smplayer_preview/[0-9]*.{jpg,png} rw,
owner /tmp/smplayer-mpv-* w,
# External apps
/{usr/,}bin/mpv rPUx,
/{usr/,}bin/smtube rPUx,
/{usr/,}bin/youtube-dl rPUx,
/{usr/,}bin/yt-dlp rPUx,
# PulseAudio (to use "pacmd")
/{usr/,}bin/pacmd rPUx,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
owner @{HOME}/.anyRemote/anyremote.stdout w,
include if exists <local/smplayer> include if exists <local/smplayer>
} }

150
apparmor.d/profiles-s-z/vidcutter
View file

@ -1,57 +1,32 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
@{vidcutter_ext} = [aA]{52,[aA][cC],[cC]3}
@{vidcutter_ext} += [mM][kK][aA]
@{vidcutter_ext} += [fF][lL][aA][cC]
@{vidcutter_ext} += [mM][pP][123cC]
@{vidcutter_ext} += [oO][gGmM][aA]
@{vidcutter_ext} += [wW]{,[aA]}[vV]
@{vidcutter_ext} += [wW][mM]{,[aA]}
@{vidcutter_ext} += 3[gG]{[2pP],[pP][2pP]}
@{vidcutter_ext} += [aA][sS][fF]
@{vidcutter_ext} += [aA][vV][iI]
@{vidcutter_ext} += [dD][iI][vV][xX]
@{vidcutter_ext} += [mM][124][vV]
@{vidcutter_ext} += [mM][kKoO][vV]
@{vidcutter_ext} += [mM][pP][4aAeEgG]
@{vidcutter_ext} += [mM][pP][eE][gG]{,[124]}
@{vidcutter_ext} += [oO][gG][gGmMxXvV]
@{vidcutter_ext} += [rR][mM]{,[vV][bB]}
@{vidcutter_ext} += [wW][eE][bB][mM]
@{vidcutter_ext} += [wW][mMtT][vV]
@{vidcutter_ext} += [mM][pP]2[tT]
@{exec_path} = /{usr/,}bin/vidcutter @{exec_path} = /{usr/,}bin/vidcutter
profile vidcutter @{exec_path} { profile vidcutter @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/dconf-write>
include <abstractions/X>
include <abstractions/gtk>
include <abstractions/freedesktop.org>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/dri-enumerate>
include <abstractions/mesa>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-shader-cache>
include <abstractions/user-download-strict>
include <abstractions/private-files-strict>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/dconf-write>
include <abstractions/dri-enumerate>
include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org>
include <abstractions/gtk>
include <abstractions/mesa>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python>
include <abstractions/qt5-compose-cache-write>
include <abstractions/qt5-settings-write>
include <abstractions/qt5-shader-cache>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict>
include <abstractions/X>
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
@ -63,46 +38,35 @@ profile vidcutter @{exec_path} {
/{usr/,}bin/ffprobe rPx, /{usr/,}bin/ffprobe rPx,
/{usr/,}bin/mediainfo rPx, /{usr/,}bin/mediainfo rPx,
/{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-open rPx -> child-open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
# Which files vidcutter should be able to open /usr/share/hwdata/pnp.ids r,
/ r, /usr/share/qt5ct/** r,
/home/ r,
owner @{HOME}/ r, /etc/fstab r,
owner @{HOME}/**/ r, /etc/vdpau_wrapper.cfg r,
@{MOUNTS}/ r,
owner @{MOUNTS}/**/ r, /etc/machine-id r,
owner /{home,media}/**.@{vidcutter_ext} rw, /var/lib/dbus/machine-id r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{user_music_dirs}/{,**} rw,
owner @{user_pictures_dirs}/{,**} rw,
owner @{user_torrents_dirs}/{,**} rw,
owner @{user_videos_dirs}/{,**} rw,
owner @{user_config_dirs}/vidcutter/ rw, owner @{user_config_dirs}/vidcutter/ rw,
owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#[0-9]*[0-9], owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#[0-9]*[0-9],
# If one is blocked, the others are probed.
deny owner @{HOME}/#[0-9]*[0-9] mrw,
owner @{HOME}/.glvnd* mrw,
# owner /tmp/#[0-9]*[0-9] mrw,
# owner /tmp/.glvnd* mrw,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9], owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
owner @{user_cache_dirs}/qtshadercache/ rw,
owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9],
owner @{user_cache_dirs}/qtshadercache/#[0-9]*[0-9] rw,
owner @{user_config_dirs}/qt5ct/{,**} r, owner @{user_config_dirs}/qt5ct/{,**} r,
/usr/share/qt5ct/** r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r,
# To remove the following error:
# GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
# (g-file-error-quark, 2)
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{sys}/devices/system/node/ r, @{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/system/node/node[0-9]*/meminfo r,
@ -112,49 +76,17 @@ profile vidcutter @{exec_path} {
owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9], owner /tmp/*.jpg rwl -> /tmp/#[0-9]*[0-9],
owner /tmp/vidcutter/{,*} rw, owner /tmp/vidcutter/{,*} rw,
deny /dev/ r, deny owner @{PROC}/@{pid}/cmdline r,
/dev/shm/#[0-9]*[0-9] rw, owner @{PROC}/@{pid}/fd/ r,
/dev/disk/*/ r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny @{PROC}/sys/kernel/random/boot_id r,
/etc/vdpau_wrapper.cfg r, /dev/ r,
/dev/shm/#[0-9]*[0-9] rw,
/dev/disk/*/ r,
/etc/fstab r,
/usr/share/hwdata/pnp.ids r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner /dev/tty[0-9]* rw, owner /dev/tty[0-9]* rw,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/basename rix,
owner @{HOME}/ r,
owner @{run}/user/@{uid}/ r,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
}
include if exists <local/vidcutter> include if exists <local/vidcutter>
} }

66
apparmor.d/profiles-s-z/youtube-dl
View file

@ -1,59 +1,26 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2017-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a
@{ytdl_ext} = [aA]{52,[aA][cC],[cC]3}
@{ytdl_ext} += [mM][kK][aA]
@{ytdl_ext} += [fF][lL][aA][cC]
@{ytdl_ext} += [mM][pP][123cC]
@{ytdl_ext} += [oO][gGmM][aA]
@{ytdl_ext} += [wW]{,[aA]}[vV]
@{ytdl_ext} += [wW][mM]{,[aA]}
@{ytdl_ext} += 3[gG]{[2pP],[pP][2pP]}
@{ytdl_ext} += [aA][sS][fF]
@{ytdl_ext} += [aA][vV][iI]
@{ytdl_ext} += [dD][iI][vV][xX]
@{ytdl_ext} += [mM][124][vV]
@{ytdl_ext} += [mM][kKoO][vV]
@{ytdl_ext} += [mM][pP][4aAeEgG]
@{ytdl_ext} += [mM][pP][eE][gG]{,[124]}
@{ytdl_ext} += [oO][gG][gGmMxXvV]
@{ytdl_ext} += [rR][mM]{,[vV][bB]}
@{ytdl_ext} += [wW][eE][bB][mM]
@{ytdl_ext} += [wW][mMtT][vV]
@{ytdl_ext} += [mM][pP]2[tT]
@{ytdl_ext} += [mM]4[aA]
# The ytdl specific file extensions
# ytdl, part, tmp, temp
@{ytdl_ext} += [yY][tT][dD][lL]
@{ytdl_ext} += part{,-*}
@{ytdl_ext} += [tT]{,[eE]}[mM][pP]
@{exec_path} = /{usr/,}bin/youtube-dl @{exec_path} = /{usr/,}bin/youtube-dl
profile youtube-dl @{exec_path} { profile youtube-dl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/X>
include <abstractions/audio> include <abstractions/audio>
include <abstractions/fonts> include <abstractions/consoles>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>
include <abstractions/fonts>
include <abstractions/freedesktop.org> include <abstractions/freedesktop.org>
include <abstractions/python>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/X>
signal (receive) set=(term, kill),
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
@ -61,9 +28,14 @@ profile youtube-dl @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (receive) set=(term, kill),
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ffmpeg rPx,
/{usr/,}bin/ffprobe rPx,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix, /{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}lib/llvm-[0-9]*/bin/clang rix,
@ -72,25 +44,19 @@ profile youtube-dl @{exec_path} {
/{usr/,}bin/rtmpdump rix, /{usr/,}bin/rtmpdump rix,
/{usr/,}bin/git rix, /{usr/,}bin/git rix,
# Which files youtube-dl should be able to open
owner @{HOME}/ r,
owner @{HOME}/**/ r,
owner @{MOUNTS}/**/ r,
owner /{home,media}/**.@{ytdl_ext} rw,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r,
/etc/mime.types r, /etc/mime.types r,
owner @{HOME}/ r,
owner @{user_music_dirs}/{,**} rw,
owner @{user_videos_dirs}/{,**} rw,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
owner @{user_cache_dirs}/youtube-dl/{,**} rw, owner @{user_cache_dirs}/youtube-dl/{,**} rw,
owner @{user_config_dirs}/git/config r, owner @{user_config_dirs}/git/config r,
# External apps owner @{PROC}/@{pid}/fd/ r,
/{usr/,}bin/ffmpeg rPUx, owner @{PROC}/@{pid}/mounts r,
/{usr/,}bin/ffprobe rPUx,
include if exists <local/youtube-dl> include if exists <local/youtube-dl>
} }

44
apparmor.d/profiles-s-z/yt-dlp
View file

@ -1,50 +1,19 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Mikhail Morfikov # Copyright (C) 2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a
@{ytdlp_ext} = [aA]{52,[aA][cC],[cC]3}
@{ytdlp_ext} += [mM][kK][aA]
@{ytdlp_ext} += [fF][lL][aA][cC]
@{ytdlp_ext} += [mM][pP][123cC]
@{ytdlp_ext} += [oO][gGmM][aA]
@{ytdlp_ext} += [wW]{,[aA]}[vV]
@{ytdlp_ext} += [wW][mM]{,[aA]}
@{ytdlp_ext} += 3[gG]{[2pP],[pP][2pP]}
@{ytdlp_ext} += [aA][sS][fF]
@{ytdlp_ext} += [aA][vV][iI]
@{ytdlp_ext} += [dD][iI][vV][xX]
@{ytdlp_ext} += [mM][124][vV]
@{ytdlp_ext} += [mM][kKoO][vV]
@{ytdlp_ext} += [mM][pP][4aAeEgG]
@{ytdlp_ext} += [mM][pP][eE][gG]{,[124]}
@{ytdlp_ext} += [oO][gG][gGmMxXvV]
@{ytdlp_ext} += [rR][mM]{,[vV][bB]}
@{ytdlp_ext} += [wW][eE][bB][mM]
@{ytdlp_ext} += [wW][mMtT][vV]
@{ytdlp_ext} += [mM][pP]2[tT]
@{ytdlp_ext} += [mM]4[aA]
# The ytdl specific file extensions
# ytdl, part, tmp, temp
@{ytdlp_ext} += [yY][tT][dD][lL]
@{ytdlp_ext} += part{,-*}
@{ytdlp_ext} += [tT]{,[eE]}[mM][pP]
@{exec_path} = /{usr/,}bin/yt-dlp @{exec_path} = /{usr/,}bin/yt-dlp
profile yt-dlp @{exec_path} { profile yt-dlp @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/python>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
@ -63,9 +32,10 @@ profile yt-dlp @{exec_path} {
/{usr/,}bin/ffmpeg rPx, /{usr/,}bin/ffmpeg rPx,
/{usr/,}bin/ffprobe rPx, /{usr/,}bin/ffprobe rPx,
# Which files yt-dlp should be able to open /etc/magic r,
owner /media/**/ r,
owner /media/**.@{ytdlp_ext} rwk, owner @{user_music_dirs}/{,**} rw,
owner @{user_videos_dirs}/{,**} rw,
owner @{HOME}/.cache/ rw, owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/yt-dlp/ rw, owner @{HOME}/.cache/yt-dlp/ rw,
@ -73,7 +43,5 @@ profile yt-dlp @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/etc/magic r,
include if exists <local/yt-dlp> include if exists <local/yt-dlp>
} }

54
apparmor.d/profiles-s-z/ytdl
View file

@ -1,60 +1,29 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2018-2021 Mikhail Morfikov # Copyright (C) 2018-2021 Mikhail Morfikov
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
include <tunables/global> include <tunables/global>
# Video/audio extensions:
# a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
# asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, m4a
@{ytdl_ext} = [aA]{52,[aA][cC],[cC]3}
@{ytdl_ext} += [mM][kK][aA]
@{ytdl_ext} += [fF][lL][aA][cC]
@{ytdl_ext} += [mM][pP][123cC]
@{ytdl_ext} += [oO][gGmM][aA]
@{ytdl_ext} += [wW]{,[aA]}[vV]
@{ytdl_ext} += [wW][mM]{,[aA]}
@{ytdl_ext} += 3[gG]{[2pP],[pP][2pP]}
@{ytdl_ext} += [aA][sS][fF]
@{ytdl_ext} += [aA][vV][iI]
@{ytdl_ext} += [dD][iI][vV][xX]
@{ytdl_ext} += [mM][124][vV]
@{ytdl_ext} += [mM][kKoO][vV]
@{ytdl_ext} += [mM][pP][4aAeEgG]
@{ytdl_ext} += [mM][pP][eE][gG]{,[124]}
@{ytdl_ext} += [oO][gG][gGmMxXvV]
@{ytdl_ext} += [rR][mM]{,[vV][bB]}
@{ytdl_ext} += [wW][eE][bB][mM]
@{ytdl_ext} += [wW][mMtT][vV]
@{ytdl_ext} += [mM][pP]2[tT]
@{ytdl_ext} += [mM]4[aA]
# The ytdl specific file extensions
# ytdl, part, tmp, temp
@{ytdl_ext} += [yY][tT][dD][lL]
@{ytdl_ext} += part{,-*}
@{ytdl_ext} += [tT]{,[eE]}[mM][pP]
@{exec_path} = /{usr/,}bin/ytdl @{exec_path} = /{usr/,}bin/ytdl
profile ytdl @{exec_path} { profile ytdl @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
signal (receive) set=(term, kill),
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (receive) set=(term, kill),
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/python3.[0-9]* r, /{usr/,}bin/python3.[0-9]* r,
@ -62,19 +31,16 @@ profile ytdl @{exec_path} {
/{usr/,}{s,}bin/ldconfig rix, /{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/uname rix, /{usr/,}bin/uname rix,
# Which files youtube-dl should be able to open /etc/mime.types r,
owner @{HOME}/ r, owner @{HOME}/ r,
owner @{HOME}/**/ r, owner @{user_music_dirs}/{,**} rw,
owner @{MOUNTS}/**/ r, owner @{user_videos_dirs}/{,**} rw,
owner /{home,media}/**.@{ytdl_ext} rw,
owner @{user_cache_dirs}/youtube-dl/youtube-sigfuncs/js*.json r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/etc/mime.types r,
# Needed when displaying info on available formats
owner @{user_cache_dirs}/youtube-dl/youtube-sigfuncs/js*.json r,
include if exists <local/ytdl> include if exists <local/ytdl>
} }