diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 99f7d852..5b165872 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -4,58 +4,50 @@ # Define some paths for some commonly used programs -# Default distribution shells -@{sh} = sh bash dash +# Shells @{sh_path} = @{bin}/@{sh} - -# All interactive shells users may want to use -@{shells} = sh zsh bash dash fish rbash ksh tcsh csh @{shells_path} = @{bin}/@{shells} +# Coreutils programs that should not have dedicated profile +@{coreutils_path} = @{bin}/@{coreutils} + # Browsers - -@{brave_name} = brave{,-beta,-dev,-bin} -@{brave_lib_dirs} = /opt/brave{-bin,.com}{,/@{brave_name}} @{brave_path} = @{brave_lib_dirs}/@{brave_name} - -@{chrome_name} = chrome{,-beta,-stable,-unstable} -@{chrome_lib_dirs} = /opt/google/@{chrome_name} @{chrome_path} = @{opera_lib_dirs}/@{chrome_name} - -@{chromium_name} = chromium -@{chromium_lib_dirs} = @{lib}/@{chromium_name} @{chromium_path} = @{chromium_lib_dirs}/@{chromium_name} - -@{firefox_name} = firefox{,.sh,-esr,-bin} -@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} @{firefox_path} = @{bin}/@{firefox_name} @{firefox_lib_dirs}/@{firefox_name} - -@{opera_name} = opera{,-beta,-developer} -@{opera_lib_dirs} = @{lib}/@{multiarch}/@{opera_name} +@{msedge_path} = @{msedge_lib_dirs}/@{msedge_name} @{opera_path} = @{opera_lib_dirs}/@{opera_name} +@{torbrowser_path} = @{torbrowser_lib_dirs}/firefox{,.real} -@{browsers_path} = @{brave_path} @{chrome_path} @{chromium_path} @{firefox_path} @{opera_path} +@{browsers_path} = @{bin}/chromium @{bin}/torbrowser +@{browsers_path} += @{brave_path} @{chrome_path} @{chromium_path} @{firefox_path} @{msedge_path} @{opera_path} +@{browsers_path} += @{torbrowser_path} #aa:only whonix # Emails - -@{thunderbird_name} = thunderbird{,.sh,-bin} -@{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name} @{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name} +@{emails_path} = @{thunderbird_path} @{bin}/@{emails} # Open - @{open_path} = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop @{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop -# Coreutils programs that should not have dedicated profile -@{coreutils} = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown -@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand -@{coreutils} += expr factor false find fmt fold gawk {,e,f}grep head hostid id install join link -@{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt -@{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir -@{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true -@{coreutils} += truncate tsort tty uname unexpand uniq unlink vdir wc who whoami xargs yes -@{coreutils_path} = @{bin}/@{coreutils} +# File explorers +@{file_explorers_path} = @{bin}/@{file_explorers} + +# Text editors +@{text_edirors_path} = @{bin}/@{text_edirors} /usr/share/code/{bin/,}code + +# Document viewers +@{document_viewers_path} = @{bin}/@{document_viewers} + +# Image viewers +@{image_viewers_path} = @{bin}/@{image_viewers} + +# Archive viewers +@{archive_viewers_path} = @{bin}/@{archive_viewers} + +# Office suites +@{offices_path} = @{bin}/@{offices} @{lib}/libreoffice/program/soffice diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs new file mode 100644 index 00000000..c1eb25e0 --- /dev/null +++ b/apparmor.d/tunables/multiarch.d/programs @@ -0,0 +1,70 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Define some some commonly used programs. This is not an exhaustive list. +# It is meant to label programs to easily provide access in profiles. + +# Default distribution shells +@{sh} = sh bash dash + +# All interactive shells users may want to use +@{shells} = sh zsh bash dash fish rbash ksh tcsh csh + +# Coreutils programs that should not have dedicated profile +@{coreutils} = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown +@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand +@{coreutils} += expr factor false find fmt fold gawk {,e,f}grep head hostid id install join link +@{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt +@{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir +@{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep +@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true +@{coreutils} += truncate tsort tty uname unexpand uniq unlink vdir wc who whoami xargs yes + +# Browsers + +@{brave_name} = brave{,-beta,-dev,-bin} +@{brave_lib_dirs} = /opt/brave{-bin,.com}{,/@{brave_name}} + +@{chrome_name} = chrome{,-beta,-stable,-unstable} +@{chrome_lib_dirs} = /opt/google/@{chrome_name} + +@{chromium_name} = chromium +@{chromium_lib_dirs} = @{lib}/@{chromium_name} + +@{firefox_name} = firefox{,.sh,-esr,-bin} +@{firefox_lib_dirs} = @{lib}/@{firefox_name} /opt/@{firefox_name} + +@{opera_name} = opera{,-beta,-developer} +@{opera_lib_dirs} = @{lib}/@{multiarch}/@{opera_name} + +@{msedge_name} = msedge{,-beta,-dev} +@{msedge_lib_dirs} = /opt/microsoft/@{name} + +@{torbrowser_name} = torbrowser "tor browser" +@{torbrowser_lib_dirs} = @{HOME}/.tb/tor-browser/Browser/ + +# Emails + +@{thunderbird_name} = thunderbird{,.sh,-bin} +@{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name} + +@{emails} = evolution geary + +# File explorers +@{file_explorers} = dolphin nautilus thunar + +# Text editors +@{text_edirors} = code gedit mousepad gnome-text-editor + +# Document viewers +@{document_viewers} = evince okular *{F,f}oliate YACReader + +# Image viewers +@{image_viewers} = eog loupe ristretto + +# Archive viewers +@{archive_viewers} = engrampa file-roller xarchiver + +# Office suites +@{offices} = libreoffice soffice