diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat new file mode 100755 index 00000000..2d832d38 --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat @@ -0,0 +1,47 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat +@{lib_dirs} = /opt/wechat/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{lib_dirs}/wechat +profile wechat @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} mr, + + @{sh_path} rix, + @{lib_dirs}/crashpad_handler ix, + @{bin}/mkdir ix, + @{bin}/gawk rix, + @{bin}/lsblk rix, + @{bin}/ip rix, + @{bin}/xdg-user-dir rix, + @{open_path} rpx -> child-open-strict, + + owner @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage new file mode 100755 index 00000000..b3ac3735 --- /dev/null +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -0,0 +1,95 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 EricLin +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = wechat-appimage +@{lib_dirs} = /opt/wechat-appimage/ +@{config_dirs} = @{user_config_dirs}/@{name} +@{cache_dirs} = @{user_cache_dirs}/@{name} + +@{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat +profile wechat-appimage @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + capability dac_override, + capability dac_read_search, + + network netlink raw, + network netlink dgram, + network inet stream, + network inet dgram, + network inet6 dgram, + network inet6 stream, + + @{exec_path} r, + + @{sh_path} rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + /tmp/.mount_wechat??????/AppRun ix, + @{bin}/mkdir ix, + @{bin}/gawk rix, + @{bin}/lsblk rix, + @{bin}/ip rix, + @{bin}/xdg-user-dir rix, + @{tmp}/.mount_wechat??????/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat??????/usr/bin/wechat ix, + @{open_path} rpx -> child-open-strict, + + mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) wechat-appimage.AppImage -> @{tmp}/.mount_wechat??????/, + + umount @{tmp}/.mount_wechat??????/, + + @{bin}/fusermount{,3} ix -> fusermount, + @{bin}/dirname rix -> fusermount, + @{bin}/readlink rix -> fusermount, + + @{bin}/ r, + @{bin}/core_perl/ r, + @{bin}/site_perl/ r, + @{bin}/vendor_perl/ r, + + /usr/local/bin/ r, + /usr/local/sbin/ r, + + /etc/machine-id r, + /etc/fuse.conf r, + + @{tmp}/.mount_wechat??????/AppRun r, + @{tmp}/.mount_wechat??????/ rw, + @{tmp}/.mount_wechat??????/opt/wechat/{,**} mr, + + owner /var/tmp/etilqs_* rw, + + @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + + /dev/fuse rw, + /dev/tty rw, + + profile fusermount { + include + include + include + @{bin}/fusermount{,3} mr, + + @{lib_dirs}/wechat-appimage.AppImage r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 9d563111..d03588bb 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -42,6 +42,7 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, /etc/lsb-release r, + /etc/machine-id r, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk,