diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any new file mode 100644 index 00000000..3fcfe4ab --- /dev/null +++ b/apparmor.d/groups/children/child-open-any @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is designed to be used in a child profile to limit what +# confined application can invoke via open helper. + +# This version of child-open allows to open any programs. + +abi , + +include + +profile child-open-any flags=(attach_disconnected) { + include + include + + @{open_path} mr, + + @{sh_path} r, + + @{bin}/** PUx, + @{lib}/** PUx, + @{user_bin_dirs}/** PUx, + /opt/*/** PUx, + /usr/local/bin/** PUx, + /usr/share/** PUx, + + @{bin}/ r, + @{user_bin_dirs}/ r, + / r, + /usr/ r, + /usr/local/bin/ r, + + /dev/tty rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor +