# apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/arduino profile arduino @{exec_path} { include include include include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, ptrace (read) peer=arduino//open, ptrace (read) peer=arduino-builder, @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/id rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/groups rix, /{usr/,}bin/sed rix, /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, /{usr/,}bin/avrdude rix, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/dpkg-architecture rPx, /{usr/,}bin/arduino-builder rPx, /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix, /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, /usr/share/java/*.jar r, /etc/java-[0-9]*-openjdk/** r, /etc/ssl/certs/java/cacerts r, owner @{HOME}/.java/fonts/*/ rw, owner @{HOME}/.java/fonts/*/fcinfo[0-9]*.tmp rw, owner @{HOME}/.java/fonts/*/fcinfo-*.properties rw, include owner @{run}/user/[0-9]*/dconf/user rw, /usr/share/arduino/{,**} r, /usr/share/arduino-builder/{,**} r, /usr/share/doc/arduino/{,**} r, /usr/share/doc/arduino-core/{,**} r, owner @{HOME}/ r, owner @{HOME}/.arduino{,15}/{,**} rw, owner @{HOME}/Arduino/{,**} rw, owner @{HOME}/sketchbook/{,**} rw, owner @{HOME}/.Xauthority r, /tmp/ r, owner /tmp/cc*.{s,res,c,o,ld,le} rw, owner /tmp/hsperfdata_*/ rw, owner /tmp/hsperfdata_*/@{pid} rw, owner /tmp/untitled[0-9]*.tmp rw, owner /tmp/untitled[0-9]*.tmp/{,**} rw, owner /tmp/console[0-9]*.tmp rw, owner /tmp/console[0-9]*.tmp/{,**} rw, owner /tmp/build[0-9]*.tmp rw, owner /tmp/build[0-9]*.tmp/{,**} rw, owner /tmp/arduino_{build,cache}_[0-9]*/{,**} rw, owner /tmp/{library,package}_index.json*.tmp* rw, owner /tmp/arduino_modified_sketch_[0-9]*/{,**} rw, owner @{run}/lock/tmp* rw, owner @{run}/lock/LCK..ttyS[0-9]* rw, /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, # For java @{PROC}/@{pids}/stat r, # owner @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/net/if_inet6 r, @{PROC}/@{pid}/net/ipv6_route r, /etc/fstab r, /etc/avrdude.conf r, @{sys}/fs/cgroup/{,**} r, @{sys}/class/tty/ r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,manufacturer,serial,product} r, /dev/ttyS[0-9]* rw, /dev/ttyACM[0-9]* rw, # Silencer deny /usr/share/arduino/** w, profile open { include include /{usr/,}bin/xdg-open mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/gawk rix, /{usr/,}bin/readlink rix, /{usr/,}bin/basename rix, owner @{HOME}/ r, owner @{run}/user/[0-9]*/ r, # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, /{usr/,}bin/spacefm rPUx, # file_inherit owner @{HOME}/.xsession-errors w, } include if exists }