mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): fractal uses bwrap for loading image.

Browse source
This commit is contained in:
Alexandre Pujol 2024-11-12 20:43:52 +00:00
parent 4108d6a987
commit c741f74323
Failed to generate hash of commit
1 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
apparmor.d/profiles-a-f/fractal
View file

@ -21,10 +21,14 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal send set=kill peer=fractal//bwrap,
@{exec_path} mr, @{exec_path} mr,
@{open_path} rPx -> child-open-help, @{open_path} rPx -> child-open-help,
@{bin}/bwrap rCx -> bwrap,
/usr/share/glycin-loaders/{,**} r,
/usr/share/xml/iso-codes/{,**} r, /usr/share/xml/iso-codes/{,**} r,
owner @{tmp}/.@{rand6} rw, owner @{tmp}/.@{rand6} rw,
@ -37,6 +41,22 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
/dev/ r, /dev/ r,
profile bwrap flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/bwrap>
signal receive set=kill peer=fractal,
@{bin}/bwrap mr,
@{lib}/glycin-loaders/*/glycin-* rix,
owner @{PROC}/@{pid}/fd/ r,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/fractal_bwrap>
}
include if exists <local/fractal> include if exists <local/fractal>
} }