diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer new file mode 100644 index 00000000..10417587 --- /dev/null +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -0,0 +1,59 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/org.gnome.NautilusPreviewer +profile org.gnome.NautilusPreviewer @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/gjs-console r, + + @{bin}/xdg-open rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + + /usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r, + + /etc/machine-id r, + + # Full read access to user's data + owner @{MOUNTS}/{,**} r, + owner @{HOME}/{,**} r, + + owner @{user_config_dirs}/pulse/cookie rk, + + @{run}/udev/data/c3[0-9]*:@{int} r, # For dynamic assignment range 384 to 511 + @{run}/udev/data/c4[0-9]*:@{int} r, + @{run}/udev/data/c5[0-9]*:@{int} r, + + @{sys}/devices/@{pci}/revision r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} \ No newline at end of file