# apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/minitube profile minitube @{exec_path} { include include include include include include include include include include include include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink dgram, network netlink raw, @{exec_path} mr, # Minitube home files owner "@{HOME}/.config/Flavio Tordini/" rw, owner "@{HOME}/.config/Flavio Tordini/*" rwkl -> "@{HOME}/.config/Flavio Tordini/#[0-9]*[0-9]", owner "@{HOME}/.local/share/Flavio Tordini/" rw, owner "@{HOME}/.local/share/Flavio Tordini/Minitube/" rw, owner "@{HOME}/.local/share/Flavio Tordini/Minitube/*" rwk, # Snapshot owner @{HOME}/Pictures/*.png rw, owner @{HOME}/vlcsnap-.png rw, /usr/share/minitube/{,**} r, # If one is blocked, the others are probed. deny owner @{HOME}/#[0-9]*[0-9] mrw, owner @{HOME}/.glvnd* mrw, # owner /tmp/#[0-9]*[0-9] mrw, # owner /tmp/.glvnd* mrw, # Cache owner @{HOME}/.cache/ rw, owner "@{HOME}/.cache/Flavio Tordini/" rw, owner "@{HOME}/.cache/Flavio Tordini/Minitube/" rw, owner "@{HOME}/.cache/Flavio Tordini/Minitube/**" rwl -> "@{HOME}/.cache/Flavio Tordini/Minitube/**", owner @{HOME}/.cache/qtshadercache/ rw, owner @{HOME}/.cache/qtshadercache/#[0-9]*[0-9] rw, owner @{HOME}/.cache/qtshadercache/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache/#[0-9]*[0-9], owner @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw, owner @{HOME}/.cache/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{HOME}/.cache/qtshadercache-*-little_endian-*/#[0-9]*[0-9], # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration owner @{HOME}/.config/qt5ct/{,**} r, /usr/share/qt5ct/** r, deny /dev/ r, /dev/shm/#[0-9]*[0-9] rw, /etc/vdpau_wrapper.cfg r, deny owner @{PROC}/@{pid}/cmdline r, deny @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/core_pattern r, /etc/machine-id r, /var/lib/dbus/machine-id r, /usr/share/hwdata/pnp.ids r, # TMP owner /tmp/qtsingleapp-minitu-* rw, owner /tmp/qtsingleapp-minitu-*-lockfile rwk, /{usr/,}bin/xdg-open rCx -> open, # Be able to turn off the screensaver while playing movies /{usr/,}bin/xdg-screensaver rCx -> xdg-screensaver, # Allowed apps to open /{usr/,}lib/firefox/firefox rPx, # file_inherit owner /dev/tty[0-9]* rw, profile open { include include /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gawk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, # file_inherit owner @{HOME}/.xsession-errors w, } profile xdg-screensaver { include include /{usr/,}bin/xdg-screensaver mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/mv rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/sed rix, /{usr/,}bin/which rix, /{usr/,}bin/xset rix, /{usr/,}bin/xautolock rix, /{usr/,}bin/dbus-send rix, owner @{HOME}/.Xauthority r, # file_inherit /dev/dri/card[0-9]* rw, network inet stream, network inet6 stream, } include if exists }