diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 83b29560..73f4e0b2 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -8,18 +8,13 @@ /usr/share/*/* rPUx, /usr/local/bin/* rPUx, - # Browsers @{bin}/chromium rPx, @{brave_path} rPx, @{chrome_path} rPx, @{chromium_path} rPx, @{firefox_path} rPx, @{opera_path} rPx, - - # Emails @{thunderbird_path} rPx, - - # Office @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx, @{bin}/ r, diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 8d14fdd9..7da5c668 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -14,33 +14,15 @@ @{bin}/flatpak rPUx, @{bin}/snap rPUx, - # Files explorer - @{bin}/nautilus rPx, - @{bin}/dolphin rPx, - - # Browsers - @{bin}/chromium rPx, - @{brave_path} rPx, - @{chrome_path} rPx, - @{chromium_path} rPx, - @{firefox_path} rPx, - @{opera_path} rPx, - - # Text editors - @{bin}/code rPUx, - @{bin}/gedit rPUx, - @{bin}/gnome-text-editor rPUx, - /usr/share/code/{bin/,}code rPUx, - - # Emails - @{thunderbird_path} rPx, - @{bin}/geany rPUx, - - # Documents viewers - @{bin}/evince rPx, - @{bin}/okular rPx, - @{bin}/*{F,f}oliate rPUx, - @{bin}/YACReader rPx, + # Labeled programs + @{archive_viewers_path} rPUx, + @{browsers_path} rPx, + @{document_viewers_path} rPUx, + @{emails_path} rPUx, + @{file_explorers_path} rPx, + @{image_viewers_path} rPUx, + @{offices_path} rPUx, + @{text_edirors_path} rPUx, # Others @{bin}/blueman-tray rPx, @@ -48,33 +30,24 @@ @{bin}/draw.io rPUx, @{bin}/dropbox rPx, @{bin}/element-desktop rPx, - @{bin}/engrampa rPx, - @{bin}/eog rPUx, @{bin}/extension-manager rPx, - @{bin}/file-roller rPUx, @{bin}/filezilla rPx, @{bin}/flameshot rPx, - @{bin}/flatpak rPUx, @{bin}/gimp* rPUx, @{bin}/gnome-calculator rPUx, @{bin}/gnome-disk-image-mounter rPx, @{bin}/gnome-disks rPx, @{bin}/gwenview rPUx, @{bin}/kgx rPx, - @{bin}/okular rPx, @{bin}/qbittorrent rPx, @{bin}/qpdfview rPx, @{bin}/smplayer rPx, - @{bin}/spacefm rPx, @{bin}/steam-runtime rPUx, - @{bin}/teams rPUx, @{bin}/telegram-desktop rPx, @{bin}/transmission-gtk rPx, @{bin}/viewnior rPUx, @{bin}/vlc rPUx, - @{bin}/xarchiver rPx, @{bin}/xbrlapi rPx, - @{bin}/yelp rPUx, - @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx, + include if exists diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index c8541282..22aa0d78 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -50,6 +50,8 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_share_dirs}/.org.chromium.Chromium.* rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 5cff2299..ccae3cf4 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -40,9 +40,9 @@ deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # User defined private directories - deny @{user_private_dirs}/** mrxwlk, - deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/** mrxwlk, - deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/** mrxwlk, + deny @{user_private_dirs}/{,**} mrxwlk, + deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, + deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**} mrxwlk, # Deny executable mapping in writable space as allowed in abstractions/fonts deny @{HOME}/.{,cache/}fontconfig/ rw,