diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code deleted file mode 100644 index 39359874..00000000 --- a/apparmor.d/profiles-a-f/code +++ /dev/null @@ -1,105 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss} - -@{exec_path} = @{lib}/electron@{int}/electron -profile code flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - - capability sys_ptrace, - - network inet stream, - network inet6 stream, - network inet dgram, - network inet6 dgram, - network netlink raw, - - signal (send), - - @{exec_path} mrix, - - @{lib}/code/node_modules.asar.unpacked/**.node rm, - - # Core tools - @{bin}/git rPx, - @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/rg rix, - @{open_path} rPx -> child-open, - - # The shell is not confined on purpose. - @{bin}/@{shells} rUx, - - # Confine some common tools - @{lib}/code/extensions/git/dist/askpass.sh rPx, - @{lib}/code/extensions/git/dist/git-editor.sh rPx, - - # Do NOT confine most of the extensions - @{bin}/[a-z0-9]* rPUx, - @{code_config_dirs}/extensions/** rPUx, - @{HOME}/.go/bin/* rPUx, - @{lib}/go/bin/* rPUx, - @{bin}/python3.@{int} rUx, - - /etc/shells r, - /etc/lsb-release r, - - owner @{HOME}/@{XDG_SSH_DIR}/config r, - - owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**, - - owner @{user_projects_dirs}/ r, - owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**, - - owner @{tmp}/@{uuid} rw, - owner @{tmp}/vscode-*/{,**} rw, - owner @{tmp}/vscode-ipc-@{uuid}.sock rw, - - owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw, - owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw, - owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw, - - @{run}/systemd/inhibit/*.ref rw, - - @{sys}/devices/system/cpu/present r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - @{PROC}/ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/loadavg r, - @{PROC}/sys/fs/inotify/max_user_watches r, - @{PROC}/sys/kernel/yama/ptrace_scope r, - @{PROC}/version r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm w, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pids}/clear_refs w, - owner @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pids}/task/@{tid}/status r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper deleted file mode 100644 index 707164b0..00000000 --- a/apparmor.d/profiles-a-f/code-wrapper +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/code{,-oss} -profile code-wrapper @{exec_path} { - include - include - - @{exec_path} r, - - @{sh_path} rix, - @{lib}/electron@{int}/electron rPx -> code, - - owner @{user_config_dirs}/code-flags.conf r, - owner @{user_config_dirs}/electron@{int}-flags.conf r, - - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - include if exists -} - -# vim:syntax=apparmor