feat(profile): rewrite the dino profile.

see #426
2024-11-14 23:43:56 +01:00 · 2024-08-20 20:13:00 +01:00 · 2024-08-20 20:13:00 +01:00 · f14ed2f024
commit f14ed2f024
parent e74fade49a
2 changed files with 20 additions and 20 deletions
--- a/apparmor.d/profiles-a-f/dino-im
+++ b/apparmor.d/profiles-a-f/dino-im
@ -7,13 +7,16 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/dino-im
-profile dino-im @{exec_path} {
+@{exec_path} = @{bin}/dino{,-im}
+profile dino @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/audio-client>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>

  network inet dgram,
@ -24,30 +27,26 @@ profile dino-im @{exec_path} {

  @{exec_path} mr,

-  # Needed for GPG/PGP support
-  @{bin}/gpg{,2}         rCx -> gpg,
-  @{bin}/gpgconf         rCx -> gpg,
-  @{bin}/gpgsm           rCx -> gpg,
+  # Not in a subprofile because of no new privs
+  @{bin}/gpg{,2}         rix,
+  @{bin}/gpgconf         rix,
+  @{bin}/gpgsm           rix,
+  @{lib}/gnupg/keyboxd   rix,
+
+  owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+  owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

  owner @{user_share_dirs}/dino/ rw,
  owner @{user_share_dirs}/dino/** rwk,

+  owner @{run}/user/@{uid}/gnupg/ rw,
+  owner @{run}/user/@{uid}/gnupg/S.keyboxd rw,
+
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,

-  profile gpg {
-    include <abstractions/base>
-
-    @{bin}/gpg{,2} mr,
-    @{bin}/gpgconf mr,
-    @{bin}/gpgsm   mr,
-
-    owner @{HOME}/.gnupg/ rw,
-    owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
-
-    include if exists <local/dino-im_gpg>
-  }
-
-  include if exists <local/dino-im>
+  include if exists <local/dino>
 }

 # vim:syntax=apparmor
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -87,6 +87,7 @@ cups-notifier-rss complain
 cups-pk-helper-mechanism complain
 cupsd attach_disconnected,complain
 ddcutil complain
+dino attach_disconnected,complain
 DiscoverNotifier complain
 dkms attach_disconnected,complain
 dockerd attach_disconnected,complain