diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino similarity index 51% rename from apparmor.d/profiles-a-f/dino-im rename to apparmor.d/profiles-a-f/dino index 07fba44a..f7d057f8 100644 --- a/apparmor.d/profiles-a-f/dino-im +++ b/apparmor.d/profiles-a-f/dino @@ -7,13 +7,16 @@ abi , include -@{exec_path} = @{bin}/dino-im -profile dino-im @{exec_path} { +@{exec_path} = @{bin}/dino{,-im} +profile dino @{exec_path} flags=(attach_disconnected) { include + include include include include + include include + include include network inet dgram, @@ -24,30 +27,26 @@ profile dino-im @{exec_path} { @{exec_path} mr, - # Needed for GPG/PGP support - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, + # Not in a subprofile because of no new privs + @{bin}/gpg{,2} rix, + @{bin}/gpgconf rix, + @{bin}/gpgsm rix, + @{lib}/gnupg/keyboxd rix, + + owner @{HOME}/@{XDG_GPG_DIR}/ rw, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{user_share_dirs}/dino/ rw, owner @{user_share_dirs}/dino/** rwk, + owner @{run}/user/@{uid}/gnupg/ rw, + owner @{run}/user/@{uid}/gnupg/S.keyboxd rw, + + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, - profile gpg { - include - - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - - owner @{HOME}/.gnupg/ rw, - owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**, - - include if exists - } - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 940b7b0b..bb995d3b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -87,6 +87,7 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +dino attach_disconnected,complain DiscoverNotifier complain dkms attach_disconnected,complain dockerd attach_disconnected,complain