mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 17:08:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): ensure child-open is available.

Browse source
This commit is contained in:
Alexandre Pujol 2023-09-10 12:10:14 +01:00
parent 3147f7d59a
commit e381aace56
Failed to generate hash of commit
7 changed files with 17 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/children/child-open
View file

@ -93,7 +93,6 @@ profile child-open {
@{bin}/xbrlapi rPx, @{bin}/xbrlapi rPx,
@{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx, @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
include if exists <usr/child-open.d> include if exists <usr/child-open.d>
include if exists <local/child-open> include if exists <local/child-open>
} }

3
apparmor.d/groups/gnome/gnome-software
View file

@ -39,7 +39,8 @@ profile gnome-software @{exec_path} {
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg, @{bin}/gpgsm rCx -> gpg,
@{lib}/gio-launch-desktop rPx -> child-open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{lib}/revokefs-fuse rix, @{lib}/revokefs-fuse rix,
/usr/share/app-info/{,**} r, /usr/share/app-info/{,**} r,

4
apparmor.d/groups/gnome/nautilus
View file

@ -47,7 +47,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
@{bin}/firejail rPUx, @{bin}/firejail rPUx,
@{bin}/net rPUx, @{bin}/net rPUx,
@{bin}/tracker3 rPUx, @{bin}/tracker3 rPUx,
@{lib}/gio-launch-desktop rPx -> child-open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
/usr/share/*ubuntu/applications/{,**} r, /usr/share/*ubuntu/applications/{,**} r,
/usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/icu/@{int}.@{int}/*.dat r,

2
apparmor.d/groups/ubuntu/ubuntu-advantage
View file

@ -38,7 +38,7 @@ profile ubuntu-advantage @{exec_path} {
@{bin}/apt-get rPx, @{bin}/apt-get rPx,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/ps rPx, @{bin}/ps rPx,
@{bin}/snap rPx, @{bin}/snap rPUx,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/ubuntu-distro-info rPx, @{bin}/ubuntu-distro-info rPx,

37
apparmor.d/profiles-a-f/blueman
View file

@ -32,10 +32,11 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/{b,d}ash rix, @{bin}/{b,d}ash rix,
@{lib}/gio-launch-desktop rix,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{bin}/blueman-tray rPx, @{bin}/blueman-tray rPx,
@{bin}/xdg-open rCx -> open,
/usr/share/blueman/{,**} r, /usr/share/blueman/{,**} r,
/usr/share/X11/xkb/{,**} r, /usr/share/X11/xkb/{,**} r,
@ -71,37 +72,5 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
profile open {
include <abstractions/base>
include <abstractions/xdg-open>
@{bin}/xdg-open mr,
@{bin}/{,ba,da}sh rix,
@{bin}/basename rix,
@{bin}/dbus-send rix,
@{bin}/file rix,
@{bin}/{m,g,}awk rix,
@{bin}/mimetype rix,
@{bin}/readlink rix,
@{bin}/uname rix,
@{bin}/xprop rix,
# Allowed apps to open
@{lib}/firefox/firefox rPx,
@{bin}/spacefm rPx,
/usr/share/perl5/** r,
/etc/magic r,
owner @{HOME}/ r,
owner @{HOME}/bluetooth*/* r,
owner @{HOME}/.xsession-errors w,
owner @{run}/user/@{uid}/ r,
}
include if exists <local/blueman> include if exists <local/blueman>
} }

7
apparmor.d/profiles-a-f/code
View file

@ -40,13 +40,14 @@ profile code flags=(attach_disconnected) {
@{lib}/code/node_modules.asar.unpacked/**.node rm, @{lib}/code/node_modules.asar.unpacked/**.node rm,
# Core tools # Core tools
@{bin}/gio rPx -> child-open,
@{bin}/git rPx, @{bin}/git rPx,
@{bin}/rg rix,
@{bin}/gpg{,2} rPx, @{bin}/gpg{,2} rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/gio rPx -> child-open, @{bin}/rg rix,
@{lib}/gio-launch-desktop rPx -> child-open,
@{bin}/xdg-open rPx -> child-open, @{bin}/xdg-open rPx -> child-open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
# The shell is not confined on purpose. # The shell is not confined on purpose.
@{bin}/{,b,d,rb}ash rUx, @{bin}/{,b,d,rb}ash rUx,

6
apparmor.d/profiles-g-l/gpartedbin
View file

@ -67,8 +67,10 @@ profile gpartedbin @{exec_path} {
@{bin}/tune2fs rPx, @{bin}/tune2fs rPx,
@{bin}/xfs_io rPUx, @{bin}/xfs_io rPUx,
@{bin}/xdg-open rCx -> child-open, @{bin}/xdg-open rPx -> child-open,
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open, @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
@{lib}/gio-launch-desktop rPx -> child-open,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
owner @{HOME}/*.htm w, owner @{HOME}/*.htm w,