From e381aace56e1de3256b444f6bfbf6415c5335070 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Sep 2023 12:10:14 +0100 Subject: [PATCH] feat(profiles): ensure child-open is available. --- apparmor.d/groups/children/child-open | 1 - apparmor.d/groups/gnome/gnome-software | 3 +- apparmor.d/groups/gnome/nautilus | 4 ++- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 +- apparmor.d/profiles-a-f/blueman | 37 ++--------------------- apparmor.d/profiles-a-f/code | 7 +++-- apparmor.d/profiles-g-l/gpartedbin | 6 ++-- 7 files changed, 17 insertions(+), 43 deletions(-) diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index f3d028f2..1d06f5c6 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -93,7 +93,6 @@ profile child-open { @{bin}/xbrlapi rPx, @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx, - include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index b7bf3af9..3af4a84b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -39,7 +39,8 @@ profile gnome-software @{exec_path} { @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - @{lib}/gio-launch-desktop rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, @{lib}/revokefs-fuse rix, /usr/share/app-info/{,**} r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ebc8c64a..bf9e7ee6 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -47,7 +47,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/firejail rPUx, @{bin}/net rPUx, @{bin}/tracker3 rPUx, - @{lib}/gio-launch-desktop rPx -> child-open, + + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, /usr/share/*ubuntu/applications/{,**} r, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index f4962c2e..5cb28267 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -38,7 +38,7 @@ profile ubuntu-advantage @{exec_path} { @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/ps rPx, - @{bin}/snap rPx, + @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/ubuntu-distro-info rPx, diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman index 350705cd..30e3323c 100644 --- a/apparmor.d/profiles-a-f/blueman +++ b/apparmor.d/profiles-a-f/blueman @@ -32,10 +32,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{bin}/{b,d}ash rix, - @{lib}/gio-launch-desktop rix, + + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, @{bin}/blueman-tray rPx, - @{bin}/xdg-open rCx -> open, /usr/share/blueman/{,**} r, /usr/share/X11/xkb/{,**} r, @@ -71,37 +72,5 @@ profile blueman @{exec_path} flags=(attach_disconnected) { deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - profile open { - include - include - - @{bin}/xdg-open mr, - - @{bin}/{,ba,da}sh rix, - @{bin}/basename rix, - @{bin}/dbus-send rix, - @{bin}/file rix, - @{bin}/{m,g,}awk rix, - @{bin}/mimetype rix, - @{bin}/readlink rix, - @{bin}/uname rix, - @{bin}/xprop rix, - - # Allowed apps to open - @{lib}/firefox/firefox rPx, - @{bin}/spacefm rPx, - - /usr/share/perl5/** r, - - /etc/magic r, - - owner @{HOME}/ r, - owner @{HOME}/bluetooth*/* r, - owner @{HOME}/.xsession-errors w, - - owner @{run}/user/@{uid}/ r, - - } - include if exists } diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index a3d65766..96c46a9c 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -40,13 +40,14 @@ profile code flags=(attach_disconnected) { @{lib}/code/node_modules.asar.unpacked/**.node rm, # Core tools + @{bin}/gio rPx -> child-open, @{bin}/git rPx, - @{bin}/rg rix, @{bin}/gpg{,2} rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/gio rPx -> child-open, - @{lib}/gio-launch-desktop rPx -> child-open, + @{bin}/rg rix, @{bin}/xdg-open rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, # The shell is not confined on purpose. @{bin}/{,b,d,rb}ash rUx, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 8c685673..62e004ed 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -67,8 +67,10 @@ profile gpartedbin @{exec_path} { @{bin}/tune2fs rPx, @{bin}/xfs_io rPUx, - @{bin}/xdg-open rCx -> child-open, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open, + @{bin}/xdg-open rPx -> child-open, + @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + @{HOME}/.Xauthority r, owner @{HOME}/*.htm w,