Merge branch 'flatpak-exports' into 'master'

abstractions/freedesktop.org: treat Flatpak exports the same way as bits shipped by the distro See merge request apparmor/apparmor!71
2025-03-05 17:01:00 +01:00 · 2018-07-29 23:39:41 +00:00 · 2018-07-29 23:39:41 +00:00 · f30544f185
commit f30544f185
parent 4ee50ae1c4 aa3022208f
4 changed files with 23 additions and 24 deletions
--- a/profiles/apparmor.d/abstractions/freedesktop.org
+++ b/profiles/apparmor.d/abstractions/freedesktop.org
@ -10,21 +10,12 @@
 # ------------------------------------------------------------------

  # system configuration
-  /usr/{,local/}share/applications/{*/,}               r,
-  /usr/{,local/}share/applications/{*/,}defaults.list  r,
-  /usr/{,local/}share/applications/{*/,}mimeinfo.cache r,
-  /usr/{,local/}share/applications/{*/,}*.desktop      r,
-  /usr/share/icons/               r,
-  /usr/share/icons/**             r,
-  /usr/share/pixmaps/             r,
-  /usr/share/pixmaps/**           r,
-  /usr/local/share/icons/               r,
-  /usr/local/share/icons/**             r,
-  /usr/local/share/pixmaps/             r,
-  /usr/local/share/pixmaps/**           r,
+  @{system_share_dirs}/applications/{**,} r,
+  @{system_share_dirs}/icons/{**,}        r,
+  @{system_share_dirs}/pixmaps/{**,}      r,

  # this should probably go elsewhere
-  /usr/share/mime/**              r,
+  @{system_share_dirs}/mime/** r,

  # per-user configurations
  owner @{HOME}/.icons/                 r,
@ -32,12 +23,6 @@
  owner @{HOME}/.local/share/recently-used.xbel* rw,
  owner @{HOME}/.config/user-dirs.dirs  r,
  owner @{HOME}/.config/mimeapps.list   r,
-  owner @{HOME}/.local/share/applications/               r,
-  owner @{HOME}/.local/share/applications/*.desktop      r,
-  owner @{HOME}/.local/share/applications/defaults.list  r,
-  owner @{HOME}/.local/share/applications/mimeapps.list  r,
-  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
-  owner @{HOME}/.local/share/icons/     r,
-  owner @{HOME}/.local/share/icons/**   r,
-  owner @{HOME}/.local/share/mime/      r,
-  owner @{HOME}/.local/share/mime/**    r,
+  owner @{user_share_dirs}/applications/{**,} r,
+  owner @{user_share_dirs}/icons/{**,}        r,
+  owner @{user_share_dirs}/mime/{**,}         r,
--- a/profiles/apparmor.d/abstractions/kde
+++ b/profiles/apparmor.d/abstractions/kde
@ -32,8 +32,6 @@ owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
 owner @{HOME}/.qt/** rw,
 owner @{HOME}/.config/Trolltech.conf rwk,

-/usr/share/icons/ r,
-/usr/share/icons/** r,
 /usr/share/X11/XKeysymDB r,

 # kde3
--- a/profiles/apparmor.d/tunables/global
+++ b/profiles/apparmor.d/tunables/global
@ -18,3 +18,4 @@
 #include <tunables/alias>
 #include <tunables/kernelvars>
 #include <tunables/xdg-user-dirs>
+#include <tunables/share>
--- a/profiles/apparmor.d/tunables/share
+++ b/profiles/apparmor.d/tunables/share
@ -0,0 +1,15 @@
+@{flatpak_exports_root} = flatpak/exports flatpak/{app,runtime}/*/*/*/*/export
+
+# System-wide directories with behaviour analogous to /usr/share
+# in patterns like the freedesktop.org basedir spec. These are
+# owned by root or a system user, appear in XDG_DATA_DIRS, and
+# are the parent directory for `applications`, `themes`,
+# `dbus-1/services`, etc.
+@{system_share_dirs} = /usr/share /usr/local/share /var/lib/@{flatpak_exports_root}/share
+
+# Per-user/personal directories with behaviour analogous to
+# ~/.local/share in patterns like the freedesktop.org basedir spec.
+# These are owned by the user running an application, appear in
+# XDG_DATA_DIRS or XDG_DATA_HOME, and are the parent directory
+# for the same subdirectories as @{system_share_dirs}
+@{user_share_dirs} = @{HOME}/.local/share @{HOME}/.local/share/@{flatpak_exports_root}/share