feat(profile): fractal uses bwrap for loading image.

2025-01-18 08:58:15 +01:00 · 2024-11-12 20:43:52 +00:00 · 2024-11-12 20:43:52 +00:00 · c741f74323
commit c741f74323
parent 4108d6a987
1 changed files with 20 additions and 0 deletions
--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@ -21,10 +21,14 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,

+  signal send set=kill peer=fractal//bwrap,
+
  @{exec_path} mr,

  @{open_path}  rPx -> child-open-help,
+  @{bin}/bwrap  rCx -> bwrap,

+  /usr/share/glycin-loaders/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,

  owner @{tmp}/.@{rand6} rw,
@ -37,6 +41,22 @@ profile fractal @{exec_path} flags=(attach_disconnected) {

  /dev/ r,

+  profile bwrap flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/common/bwrap>
+
+    signal receive set=kill peer=fractal,
+
+    @{bin}/bwrap mr,
+    @{lib}/glycin-loaders/*/glycin-* rix,
+
+    owner @{PROC}/@{pid}/fd/ r,
+
+    deny @{user_share_dirs}/gvfs-metadata/* r,
+
+    include if exists <local/fractal_bwrap>
+  }
+
  include if exists <local/fractal>
 }