feat(abs): improve some common user abstraction.

2025-01-18 08:58:15 +01:00 · 2024-05-07 16:10:09 +01:00 · 2024-05-07 16:10:09 +01:00 · 9a2f4b5dbe
commit 9a2f4b5dbe
parent eb4beb04dc
4 changed files with 15 additions and 45 deletions
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -8,18 +8,13 @@
  /usr/share/*/*                rPUx,
  /usr/local/bin/*              rPUx,

-  # Browsers
  @{bin}/chromium               rPx,
  @{brave_path}                 rPx,
  @{chrome_path}                rPx,
  @{chromium_path}              rPx,
  @{firefox_path}               rPx,
  @{opera_path}                 rPx,
-
-  # Emails
  @{thunderbird_path}           rPx,
-
-  # Office
  @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx,

  @{bin}/                       r,
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@ -14,33 +14,15 @@
  @{bin}/flatpak                rPUx,
  @{bin}/snap                   rPUx,

-  # Files explorer
-  @{bin}/nautilus               rPx,
-  @{bin}/dolphin                rPx,
-
-  # Browsers
-  @{bin}/chromium               rPx,
-  @{brave_path}                 rPx,
-  @{chrome_path}                rPx,
-  @{chromium_path}              rPx,
-  @{firefox_path}               rPx,
-  @{opera_path}                 rPx,
-
-  # Text editors
-  @{bin}/code                   rPUx,
-  @{bin}/gedit                  rPUx,
-  @{bin}/gnome-text-editor      rPUx,
-  /usr/share/code/{bin/,}code   rPUx,
-
-  # Emails
-  @{thunderbird_path}           rPx,
-  @{bin}/geany                  rPUx,
-
-  # Documents viewers
-  @{bin}/evince                 rPx,
-  @{bin}/okular                 rPx,
-  @{bin}/*{F,f}oliate           rPUx,
-  @{bin}/YACReader              rPx,
+  # Labeled programs
+  @{archive_viewers_path}       rPUx,
+  @{browsers_path}              rPx,
+  @{document_viewers_path}      rPUx,
+  @{emails_path}                rPUx,
+  @{file_explorers_path}        rPx,
+  @{image_viewers_path}         rPUx,
+  @{offices_path}               rPUx,
+  @{text_edirors_path}          rPUx,

  # Others
  @{bin}/blueman-tray           rPx,
@ -48,33 +30,24 @@
  @{bin}/draw.io                rPUx,
  @{bin}/dropbox                rPx,
  @{bin}/element-desktop        rPx,
-  @{bin}/engrampa               rPx,
-  @{bin}/eog                    rPUx,
  @{bin}/extension-manager      rPx,
-  @{bin}/file-roller            rPUx,
  @{bin}/filezilla              rPx,
  @{bin}/flameshot              rPx,
-  @{bin}/flatpak                rPUx,
  @{bin}/gimp*                  rPUx,
  @{bin}/gnome-calculator       rPUx,
  @{bin}/gnome-disk-image-mounter rPx,
  @{bin}/gnome-disks            rPx,
  @{bin}/gwenview               rPUx,
  @{bin}/kgx                    rPx,
-  @{bin}/okular                 rPx,
  @{bin}/qbittorrent            rPx,
  @{bin}/qpdfview               rPx,
  @{bin}/smplayer               rPx,
-  @{bin}/spacefm                rPx,
  @{bin}/steam-runtime          rPUx,
-  @{bin}/teams                  rPUx,
  @{bin}/telegram-desktop       rPx,
  @{bin}/transmission-gtk       rPx,
  @{bin}/viewnior               rPUx,
  @{bin}/vlc                    rPUx,
-  @{bin}/xarchiver              rPx,
  @{bin}/xbrlapi 	              rPx,
-  @{bin}/yelp                   rPUx,
-  @{lib}/libreoffice/program/{soffice{,.bin},oosplash} rPUx,
+

  include if exists <abstractions/app-open.d>
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@ -50,6 +50,8 @@
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,

+  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
+
  owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
  owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw,
  owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w,
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@ -40,9 +40,9 @@
  deny @{user_share_dirs}/kwalletd/{,**}  mrwkl,

  # User defined private directories
-  deny @{user_private_dirs}/**               mrxwlk,
-  deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/**  mrxwlk,
-  deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/**    mrxwlk,
+  deny @{user_private_dirs}/{,**}               mrxwlk,
+  deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**}  mrxwlk,
+  deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**}    mrxwlk,

  # Deny executable mapping in writable space as allowed in abstractions/fonts
  deny @{HOME}/.{,cache/}fontconfig/ rw,