feat(abs): rewrite the app/open abstraction to accomodate kde requirements.

See #630 #605 #647
2025-01-23 19:38:12 +01:00 · 2025-01-20 22:40:36 +01:00 · 2025-01-20 22:40:36 +01:00 · ef99c81eb1
commit ef99c81eb1
parent f15cbdfc5b
2 changed files with 28 additions and 13 deletions
--- a/apparmor.d/abstractions/app/open
+++ b/apparmor.d/abstractions/app/open
@ -3,19 +3,42 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no

-# Full set of rules for child-open-* profiles.
+# Full set of rules for desktop generic open-* used in child-open-* profiles.

  abi <abi/4.0>,

  include <abstractions/desktop>

-  @{open_path} mrix,
+  # We cannot use `@{open_path} mrix,` here because it includes:
+  #     @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
+  # And `@{multiarch}` as a wildcard that cannot be merged and that will generate 
+  # "has merged rule with conflicting x modifiers" error when used with other
+  # wilcard over PUx transition.
+  @{bin}/exo-open mrix,
+  @{bin}/xdg-open mrix,
+  @{bin}/gio mrix,
+  @{bin}/kde-open mrix,
+  @{bin}/gio-launch-desktop mrix,
+  @{lib}/gio-launch-desktop mrix,

-  @{sh_path} r,
  @{bin}/env rix,
-
+  @{sh_path} r,
+  
  /dev/tty rw,

+  # if @{DE} == kde
+
+    include <abstractions/audio-client>
+    include <abstractions/bus-accessibility>
+    include <abstractions/bus-session>
+    include <abstractions/bus/org.a11y>
+    include <abstractions/graphics>
+
+    owner @{run}/user//@{uid}/#@{int} rw, 
+    owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
+
+  # fi
+
  include if exists <abstractions/app/open.d>

 # vim:syntax=apparmor
--- a/apparmor.d/groups/children/child-open-any
+++ b/apparmor.d/groups/children/child-open-any
@ -13,11 +13,7 @@ include <tunables/global>

 profile child-open-any flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
-  include <abstractions/desktop>
-
-  @{open_path} mrix,
-
-  @{sh_path} r,
+  include <abstractions/app/open>

  @{bin}/**                     PUx,
  @{lib}/**                     PUx,
@ -32,10 +28,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) {
  /usr/                         r,
  /usr/local/bin/               r,

-  owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
-
-  /dev/tty rw,
-
  include if exists <usr/child-open-any.d>
  include if exists <local/child-open-any>
 }