mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
64469afa2c
While on it, - add some comments explaining what the profile does - adjust the rule with the Debian/Ubuntu path to work with Qt6 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961
47 lines
1,005 B
Text
47 lines
1,005 B
Text
abi <abi/4.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile plasmashell /usr/bin/plasmashell {
|
|
include <abstractions/dbus-session>
|
|
|
|
capability,
|
|
userns,
|
|
network,
|
|
dbus,
|
|
mount,
|
|
umount,
|
|
remount,
|
|
signal,
|
|
mqueue,
|
|
unix,
|
|
ptrace,
|
|
|
|
# allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
|
|
/usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
|
|
/usr/libexec/qt[56]/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
|
|
|
|
# allow to execute all other programs under their own profile, or to run unconfined
|
|
/** pux,
|
|
|
|
/{,**} mrwlk,
|
|
|
|
profile QtWebEngineProcess {
|
|
capability,
|
|
userns,
|
|
network,
|
|
dbus,
|
|
mount,
|
|
umount,
|
|
remount,
|
|
signal,
|
|
mqueue,
|
|
unix,
|
|
ptrace,
|
|
/** pux,
|
|
/{,**} mrwlk,
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
include if exists <local/plasmashell>
|
|
}
|