mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-24 03:48:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(abs): rewrite the app/open abstraction to accomodate kde requirements.

Browse source 
See #630 #605  #647
This commit is contained in:
Alexandre Pujol 2025-01-20 22:40:36 +01:00
parent f15cbdfc5b
commit ef99c81eb1
Failed to generate hash of commit
2 changed files with 28 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
apparmor.d/abstractions/app/open
View file

@ -3,19 +3,42 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no # LOGPROF-SUGGEST: no
# Full set of rules for child-open-* profiles. # Full set of rules for desktop generic open-* used in child-open-* profiles.
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/desktop> include <abstractions/desktop>
@{open_path} mrix, # We cannot use `@{open_path} mrix,` here because it includes:
# @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
# And `@{multiarch}` as a wildcard that cannot be merged and that will generate
# "has merged rule with conflicting x modifiers" error when used with other
# wilcard over PUx transition.
@{bin}/exo-open mrix,
@{bin}/xdg-open mrix,
@{bin}/gio mrix,
@{bin}/kde-open mrix,
@{bin}/gio-launch-desktop mrix,
@{lib}/gio-launch-desktop mrix,
@{sh_path} r,
@{bin}/env rix, @{bin}/env rix,
@{sh_path} r,
/dev/tty rw, /dev/tty rw,
# if @{DE} == kde
include <abstractions/audio-client>
include <abstractions/bus-accessibility>
include <abstractions/bus-session>
include <abstractions/bus/org.a11y>
include <abstractions/graphics>
owner @{run}/user//@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
# fi
include if exists <abstractions/app/open.d> include if exists <abstractions/app/open.d>
# vim:syntax=apparmor # vim:syntax=apparmor

10
apparmor.d/groups/children/child-open-any
View file

@ -13,11 +13,7 @@ include <tunables/global>
profile child-open-any flags=(attach_disconnected,mediate_deleted) { profile child-open-any flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base> include <abstractions/base>
include <abstractions/desktop> include <abstractions/app/open>
@{open_path} mrix,
@{sh_path} r,
@{bin}/** PUx, @{bin}/** PUx,
@{lib}/** PUx, @{lib}/** PUx,
@ -32,10 +28,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) {
/usr/ r, /usr/ r,
/usr/local/bin/ r, /usr/local/bin/ r,
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
/dev/tty rw,
include if exists <usr/child-open-any.d> include if exists <usr/child-open-any.d>
include if exists <local/child-open-any> include if exists <local/child-open-any>
} }