mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
feat(profile): add the open_path variable.
This commit is contained in:
Alexandre Pujol
parent
a46dfaad61
commit
f362975ce7
@ -55,9 +55,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
@{bin}/more rPx -> child-pager,
|
||||
@{bin}/pager rPx -> child-pager,
|
||||
|
||||
@{bin}/exo-open rPx -> child-open,
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
audit @{bin}/** Pix,
|
||||
audit @{lib}/** Pix,
|
||||
|
||||
@ -106,15 +106,12 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
|
||||
@{lib}/mozilla/plugins/libvlcplugin.so mr,
|
||||
|
||||
# Desktop integration
|
||||
@{bin}/exo-open rPx -> child-open,
|
||||
@{bin}/gnome-software rPx,
|
||||
@{bin}/kreadconfig5 rix,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{bin}/update-mime-database rPx,
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gvfsd-metadata rPx,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
# Common extensions
|
||||
/opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx,
|
||||
|
||||
@ -71,9 +71,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/snap rPUx,
|
||||
|
||||
@{bin}/kreadconfig5 rPx,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/xdg-desktop-portal-validate-icon rPUx,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/ r,
|
||||
/.flatpak-info r,
|
||||
|
||||
@ -19,8 +19,7 @@ profile gnome-disks @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
owner @{user_cache_dirs}/gnome-disks/{,**} rw,
|
||||
|
||||
|
||||
@ -44,8 +44,7 @@ profile gnome-extension-gsconnect @{exec_path} {
|
||||
@{lib}/gio/modules/*.so* rm,
|
||||
@{lib}/girepository-1.0/* r,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
@{share_dirs}/{,**} r,
|
||||
@{share_dirs}/gsconnect-preferences rix,
|
||||
|
||||
@ -32,12 +32,9 @@ profile gnome-extension-manager @{exec_path} {
|
||||
|
||||
@{bin}/gjs-console rix,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/gnome-shell/org.gnome.Shell.Extensions r,
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
@ -25,8 +25,7 @@ profile gnome-extensions-app @{exec_path} {
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/gjs-console rix,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/gnome-shell/org.gnome.Extensions* r,
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
|
||||
@ -38,9 +38,8 @@ profile gnome-software @{exec_path} {
|
||||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/gpgconf rCx -> gpg,
|
||||
@{bin}/gpgsm rCx -> gpg,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/revokefs-fuse rix,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/app-info/{,**} r,
|
||||
/usr/share/appdata/{,**} r,
|
||||
|
||||
@ -46,8 +46,7 @@ profile gnome-terminal-server @{exec_path} {
|
||||
@{bin}/micro rPUx,
|
||||
@{bin}/nvtop rPx,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/icu/@{int}.@{int}/*.dat r,
|
||||
/usr/share/sounds/{,**} r,
|
||||
|
||||
@ -88,8 +88,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
|
||||
@ -34,8 +34,7 @@ profile kgx @{exec_path} {
|
||||
@{bin}/micro rPUx,
|
||||
@{bin}/nvtop rPx,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
owner /tmp/#@{int} rw,
|
||||
|
||||
|
||||
@ -54,11 +54,8 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
|
||||
@{lib_dirs}/vaapitest rPx -> torbrowser-vaapitest,
|
||||
|
||||
# Desktop integration
|
||||
@{bin}/exo-open rPx -> child-open,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/@{name}/{,**} r,
|
||||
/usr/share/doc/{,**} r,
|
||||
|
||||
@ -33,10 +33,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
|
||||
|
||||
@{bin}/{b,d}ash rix,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
|
||||
@{bin}/blueman-tray rPx,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/blueman/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
@ -40,14 +40,11 @@ profile code flags=(attach_disconnected) {
|
||||
@{lib}/code/node_modules.asar.unpacked/**.node rm,
|
||||
|
||||
# Core tools
|
||||
@{bin}/gio rPx -> child-open,
|
||||
@{bin}/git rPx,
|
||||
@{bin}/gpg{,2} rPx,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{bin}/rg rix,
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
# The shell is not confined on purpose.
|
||||
@{bin}/{,b,d,rb}ash rUx,
|
||||
|
||||
@ -42,9 +42,7 @@ profile element @{exec_path} {
|
||||
@{lib}/element/{,**} r,
|
||||
@{lib}/element/app.asar.unpacked/node_modules/**.node mr,
|
||||
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
|
||||
/opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
|
||||
|
||||
@ -64,8 +64,7 @@ profile engrampa @{exec_path} {
|
||||
# For deb packages
|
||||
@{bin}/dpkg-deb rix,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
# Allowed apps to open
|
||||
@{bin}/engrampa rPx,
|
||||
|
||||
@ -37,8 +37,7 @@ profile evince @{exec_path} {
|
||||
|
||||
@{bin}/{,ba,da}sh rix,
|
||||
@{bin}/gio-launch-desktop rPx,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/djvu/{,**} r,
|
||||
/usr/share/evince/{,**} r,
|
||||
|
||||
@ -41,8 +41,7 @@ profile file-roller @{exec_path} {
|
||||
@{bin}/zstd rix,
|
||||
@{lib}/p7zip/7z rix,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/themes/{,**} r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
@ -67,10 +67,7 @@ profile gpartedbin @{exec_path} {
|
||||
@{bin}/tune2fs rPx,
|
||||
@{bin}/xfs_io rPUx,
|
||||
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
@{HOME}/.Xauthority r,
|
||||
owner @{HOME}/*.htm w,
|
||||
|
||||
@ -42,8 +42,8 @@ profile keepassxc @{exec_path} {
|
||||
|
||||
# Allowed apps to open
|
||||
@{bin}/geany rPUx,
|
||||
@{bin}/xdg-open rCx -> child-open,
|
||||
@{lib}/firefox/firefox rPx,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/keepassxc/{,**} r,
|
||||
|
||||
@ -92,7 +92,7 @@ profile qbittorrent @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/xdg-{open,mime} rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
@{bin}/python3.[0-9]* rCx -> python, # For "search engine"
|
||||
|
||||
# Allowed apps to open
|
||||
|
||||
@ -30,8 +30,8 @@ profile qpdfview @{exec_path} {
|
||||
@{bin}/bzip2 rix,
|
||||
@{bin}/xz rix,
|
||||
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/firefox/firefox rPUx,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/poppler/** r,
|
||||
|
||||
@ -38,9 +38,7 @@ profile spotify @{exec_path} {
|
||||
@{lib_dirs}/{,**} r,
|
||||
@{lib_dirs}/*.so* mr,
|
||||
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/etc/libva.conf r,
|
||||
/etc/machine-id r,
|
||||
|
||||
@ -21,7 +21,7 @@ profile syncthing @{exec_path} {
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
@{bin}/ip rix,
|
||||
|
||||
/usr/share/mime/{,*} r,
|
||||
|
||||
@ -80,11 +80,8 @@ profile thunderbird @{exec_path} {
|
||||
@{bin}/gpgsm rPx,
|
||||
|
||||
# Desktop integration
|
||||
@{bin}/exo-open rPx -> child-open,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{bin}/lsb_release rPx -> lsb_release,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
# Allowed apps to open
|
||||
@{bin}/engrampa rPx,
|
||||
|
||||
@ -33,8 +33,7 @@ profile transmission-gtk @{exec_path} {
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
|
||||
|
||||
@ -38,8 +38,7 @@ profile vidcutter @{exec_path} {
|
||||
@{bin}/ffprobe rPx,
|
||||
@{bin}/mediainfo rPx,
|
||||
|
||||
@{bin}/xdg-open rPx -> child-open,
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/qt5ct/** r,
|
||||
|
||||
@ -49,8 +49,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
|
||||
@{bin}/ssh rPx,
|
||||
@{lib}/spice-client-glib-usb-acl-helper rPx,
|
||||
|
||||
@{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
|
||||
@{lib}/gio-launch-desktop rPx -> child-open,
|
||||
@{open_path} rPx -> child-open,
|
||||
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/gtksourceview-4/{,**} r,
|
||||
|
||||
@ -31,3 +31,9 @@
|
||||
@{thunderbird_name} = thunderbird{,-bin}
|
||||
@{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name}
|
||||
@{thunderbird_path} = @{bin}/@{thunderbird_name} @{thunderbird_lib_dirs}/@{thunderbird_name}
|
||||
|
||||
# Open
|
||||
|
||||
@{open_path} = @{bin}/exo-open @{bin}/xdg-open
|
||||
@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user