# vim:syntax=apparmor # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via gio helper. # # NOTE: most likely you want to use xdg-open abstraction instead for better # portability across desktop environments, unless you are sure that confined # application only uses /usr/bin/gio directly. # # Usage example: # # ``` # profile foo /usr/bin/foo { # ... # /usr/bin/gio rPx -> foo//gio-open, # ... # } # end of main profile # # # out-of-line child profile # profile foo//gio-open { # include # # # needed for ubuntu-* abstractions # include # # # Only allow to handle http[s]: and mailto: links # include # include # # # < add additional allowed applications here > # } include include # Main executables /usr/bin/gio rix, /usr/bin/gio-launch-desktop ix, # for OpenSUSE /usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix, # System files /etc/gnome/defaults.list r, /usr/share/mime/* r, /usr/share/{,*/}applications/{,**} r, /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r, /var/lib/snapd/desktop/applications/{,**} r, # User files owner @{HOME}/.config/mimeapps.list r, owner @{HOME}/.local/share/applications/{,*.desktop} r, owner @{PROC}/@{pid}/fd/ r, # Include additions to the abstraction include if exists