From 92b45f895cc71b013f5be8030bd5fac593d8d8c7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 19 Sep 2024 00:16:07 +0100
Subject: [PATCH] feat(profile): add child-open-any.

---
 apparmor.d/groups/children/child-open-any | 42 +++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 apparmor.d/groups/children/child-open-any

diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any
new file mode 100644
index 00000000..3fcfe4ab
--- /dev/null
+++ b/apparmor.d/groups/children/child-open-any
@@ -0,0 +1,42 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# This profile is designed to be used in a child profile to limit what
+# confined application can invoke via open helper.
+
+# This version of child-open allows to open any programs.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile child-open-any flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/desktop>
+
+  @{open_path} mr,
+
+  @{sh_path} r,
+
+  @{bin}/**                     PUx,
+  @{lib}/**                     PUx,
+  @{user_bin_dirs}/**           PUx,
+  /opt/*/**                     PUx,
+  /usr/local/bin/**             PUx,
+  /usr/share/**                 PUx,
+
+  @{bin}/                       r,
+  @{user_bin_dirs}/             r,
+  /                             r,
+  /usr/                         r,
+  /usr/local/bin/               r,
+  
+  /dev/tty rw,
+
+  include if exists <usr/child-open-any.d>
+  include if exists <local/child-open-any>
+}
+
+# vim:syntax=apparmor
+