diff --git a/cmd/prebuild/prepare.go b/cmd/prebuild/prepare.go index ef148a17..8d6e861a 100644 --- a/cmd/prebuild/prepare.go +++ b/cmd/prebuild/prepare.go @@ -113,12 +113,21 @@ func Configure() error { return err } - case "ubuntu", "opensuse": + case "opensuse": aa.Tunables["libexec"] = []string{"/{usr/,}libexec"} if err := setLibexec(); err != nil { return err } + case "ubuntu": + aa.Tunables["libexec"] = []string{"/{usr/,}libexec"} + if err := setLibexec(); err != nil { + return err + } + if err := paths.New("dists/ubuntu/trash").CopyTo(RootApparmord.Join("abstractions", "trash")); err != nil { + return err + } + case "debian", "whonix": aa.Tunables["libexec"] = []string{"/{usr/,}libexec"} if err := setLibexec(); err != nil { diff --git a/dists/ubuntu/trash b/dists/ubuntu/trash new file mode 100644 index 00000000..68a43c06 --- /dev/null +++ b/dists/ubuntu/trash @@ -0,0 +1,75 @@ +abi , + +# requires + + owner @{HOME}/.config/trashrc rw, + owner @{HOME}/.config/trashrc.lock rwk, + owner @{HOME}/.config/#[0-9]*[0-9] rwk, + owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + + owner @{run}/user/@{uid}/#[0-9]*[0-9] rw, + owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9], + + # Home trash location + owner @{HOME}/.local/share/Trash/ rw, + owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw, + owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9], + owner @{HOME}/.local/share/Trash/files/{,**} rw, + owner @{HOME}/.local/share/Trash/info/ rw, + owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw, + owner @{HOME}/.local/share/Trash/expunged/ rw, + owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw, + owner @{HOME}/.local/share/Trash/expunged/[0-9]*/ rw, + owner @{HOME}/.local/share/Trash/expunged/[0-9]*/** rw, + + # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir + owner /media/*/.Trash/ rw, + owner /media/*/.Trash/@{uid}/ rw, + owner /media/*/.Trash/@{uid}/#[0-9]*[0-9] rw, + owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#[0-9]*[0-9], + owner /media/*/.Trash/@{uid}/files/{,**} rw, + owner /media/*/.Trash/@{uid}/info/ rw, + owner /media/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/.Trash/@{uid}/expunged/ rw, + owner /media/*/.Trash/@{uid}/expunged/[0-9]* rw, + owner /media/*/.Trash/@{uid}/expunged/[0-9]*/ rw, + owner /media/*/.Trash/@{uid}/expunged/[0-9]*/** rw, + + # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir + owner /media/*/.Trash-@{uid}/ rw, + owner /media/*/.Trash-@{uid}/#[0-9]*[0-9] rw, + owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#[0-9]*[0-9], + owner /media/*/.Trash-@{uid}/files/{,**} rw, + owner /media/*/.Trash-@{uid}/info/ rw, + owner /media/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/.Trash-@{uid}/expunged/ rw, + owner /media/*/.Trash-@{uid}/expunged/[0-9]* rw, + owner /media/*/.Trash-@{uid}/expunged/[0-9]*/ rw, + owner /media/*/.Trash-@{uid}/expunged/[0-9]*/** rw, + + # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir + owner /media/*/*/.Trash/ rw, + owner /media/*/*/.Trash/@{uid}/ rw, + owner /media/*/*/.Trash/@{uid}/#[0-9]*[0-9] rw, + owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#[0-9]*[0-9], + owner /media/*/*/.Trash/@{uid}/files/{,**} rw, + owner /media/*/*/.Trash/@{uid}/info/ rw, + owner /media/*/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/*/.Trash/@{uid}/expunged/ rw, + owner /media/*/*/.Trash/@{uid}/expunged/[0-9]* rw, + owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/ rw, + owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/** rw, + + # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir + owner /media/*/*/.Trash-@{uid}/ rw, + owner /media/*/*/.Trash-@{uid}/#[0-9]*[0-9] rw, + owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#[0-9]*[0-9], + owner /media/*/*/.Trash-@{uid}/files/{,**} rw, + owner /media/*/*/.Trash-@{uid}/info/ rw, + owner /media/*/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/*/.Trash-@{uid}/expunged/ rw, + owner /media/*/*/.Trash-@{uid}/expunged/[0-9]* rw, + owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/ rw, + owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/** rw, + + include if exists